State flags LVHN for privacy breach
Man says doctor illegally tapped his medical records
A man who spent a couple months in Lehigh Valley Hospital claims in a lawsuit that a doctor who wasn’t treating him and with whom he had a contentious business relationship illegally tapped into his medical records a dozen times, a claim Lehigh Valley Health Network and the state Health Department acknowledged in letters to the patient.
The case apparently led the Health Department recently to cite Lehigh Valley Health Network for not protecting confidential patient information. In June, the department posted a report from a May 6 inspection that concluded LVHN hadn’t made changes to safeguard patient data despite the network’s own finding that a physician in 2017 had perused medical information for months on a patient that doctor wasn’t treating.
The department concluded “the facility failed to maintain a medical record in a confidential manner and failed to safeguard the access to confidential patient information.”
The citation did not identify the patient but did say that the person was discharged on April 1, 2017. That is the date Steven Kahlon, who sued LVHN last year for a privacy breach, was discharged from Lehigh Valley Hospital, according to records filed in his case. Among those records is a May 6 letter from the Health Department inform
ing Kahlon that it looked into his complaints against LVHN and found violations of state and federal regulations. The Health Department’s website listed only one recent inspection at LVHN involving a privacy violation — the one conducted on May 6.
A central dispute in Kahlon’s lawsuit is whether LVHN knowingly ignored Kahlon’s complaints of privacy violations and, through inaction, failed to prevent inappropriate access of his health information for months. The case shows the vulnerability of patient data as technology makes it easier for more people to see patient information across an increasingly consolidated health industry.
Kahlon contends in the suit that as he lay in a bed at LVH in 2017, Dr. Johnny Shea-Yuan Chung entered into his room and demanded he sign documents to relinquish his ownership of a business they owned together.
Letters and other filings in the case allege Chung, a well-known plastic surgeon in the Lehigh Valley, looked at Kahlon’s medical information a dozen times between February and June in 2017, even though he was not treating Kahlon. In a Sept. 19, 2017, letter from LVHN to Kahlon that was submitted as evidence, LVHN said it conducted an internal investigation and found that a provider, who wasn’t named in the letter, inappropriately looked at Kahlon’s record a dozen times in that time period.
And in an April 24, 2018 response to Kaylon’s lawsuit, LVHN admitted that on the 12 dates cited in the lawsuit “Chung, or someone using Chung’s authorization code, engaged in unauthorized access to Kahlon’s EMR (electronic medical record).”
LVHN in turn added Chung and his practice, Aesthetic Surgery Associates, as defendants, saying, “if the allegations in plaintiff’s complaint were true, the additional defendants — not LVH — should be held liable.”
In a court filing, Chung, who has since left LVHN, called Kahlon’s lawsuit frivolous. He also denied improperly accessing Kahlon’s medical records, breaching any legal obligations or violating the law, and claimed that he had an active doctorpatient relationship with Kahlon at the time.
Through Aesthetic Surgery Associates, where he has been treating patients since 2005, Chung declined to comment for this story. His lawyers did not respond to a reporter’s calls for comment. There are no disciplinary actions on Chung’s record, according to the Pennsylvania Department of State.
Because the case is in litigation, Kahlon, who lives in New Tripoli, said he did not want to comment. His lawyer did not return a call for comment.
Brian Downs, spokesman for LVHN, defended the network’s practices regarding privacy and the Epic electronic record system used by the network.
“LVH has an aggressive and continuous review process to ensure the appropriate caregivers are accessing medical records correctly,” he said. “[Electronic health records] allow us to audit who reviews medical records far better than was the case in the days of paper records. LVHN acted quickly when made aware of this situation and we remain in contact with the Department of Health on this issue.”
Downs said Chung no longer has privileges at Lehigh Valley Hospital, adding that he was never employed by LVHN.
Chung left “during the time LVHN was investigating a patient complaint,” Downs said.
LVHN is working on a plan to address the issues cited by the Health Department in its May 6 inspection, Nate Wardle, a department spokesman, said. The department recently removed that inspection report from its website. Wardle said it will be reposted when LVHN submits its plan.
Who can access medical records?
Inappropriate use of the medical record system and poor safeguards are two common privacy violations. And they are on the rise.
Complaints of health privacy law violations increased almost 50 percent from 2015 to nearly 26,000 in 2018. The number of cases that required corrective action by health providers increased from about the same percentage, to 995 in 2018.
The Health Insurance Portability and Accountability Act, also known as HIPAA, was enacted to prevent health providers from sharing patient medical information without their permission. However, the law was amended in 2002 to allow providers to share information for treatment, health care operations and payment purposes without patient consent, a change that privacy advocates say shifted rights from the patient and compromised their privacy.
Doctors and health systems that fail to protect patient information are investigated by the U.S. Health and Human Services Department’s Office of Civil Rights. The department would not say if it is investigating Chung or LVHN.
Patients have 180 days to submit a complaint after discovering a violation. The U.S. Justice Department also has the authority to investigate the allegations and violators could face fines of up to $250,000 and jail time, according to the American Medical Association.
Technology has only heightened concerns about breaches. Electronic health record systems are built to allow for easy access and sharing, said Dr. Deborah Peel, founder and president of the Patient Privacy Rights, an organization that promotes personal control of health information. But the systems were built more with emergencies in mind, enabling thousands of people in a hospital system to see a patient’s record, she said.
While hospitals are required to protect patient information, how they do that can vary greatly. Electronic systems allow hospitals to customize the level of access given to staff. LVHN and St. Luke’s University Health Network use Epic, whose software is used by health facilities across the globe to track more than 250 million patients. Hospitals might limit access to records to certain clinical and administrative staff, or might let some employees see basic information while others can see in-depth medical histories, according to a HIPAA expert at the American Medical Association, who was not authorized to speak to media.
The law says safeguards must be in place but doesn’t spell out what they should look like, which gives hospitals flexibility, said Jolene Calla, the vice president of health care finance and insurance at The Hospital and Healthsystem Association of Pennsylvania. For example, a doctor in the maternity wing may not have access to records for patients in the intensive care unit.
“It’s not one size fits all,” she said.
Because the matter is in litigation, Downs said LVHN would not divulge its policies on Epic record access and sharing. St. Luke’s University Health Network, which also uses Epic, would not discuss its access policies.
In June, LVHN announced that it’s strengthening a data sharing partnership with CVS to track patients who are not picking up their medication and to build programs on preventing illnesses. St. Luke’s has a similar relationship with the retail pharmacy. This potentially opens another portal to some patient information.
Record sharing was created to provide better, more cohesive quality of care but privacy has been the trade-off, said Deven McGraw, former deputy director for health information privacy at HHS’ Office for Civil Rights. Aggregated health data allow doctors to easily access the information thsey need to provide care, including allergies, chronic health issues, prescriptions and other health history.
“Sharing in some aspects is critically important, but when you make that data more available, you also make it more available for bad,” said McGraw, who now works for a firm that is developing software to make it easier for patients to control their own medical data.
The lawsuit
The complaint Kahlon filed against LVHN on March 16, 2018, and other key documents in the lawsuit were sealed in Lehigh County court to keep his medical issues private. However, the complaint appears to turn up more than once on the electronic docket, including as a public record attached to an exhibit in August 2018. Letters from the Health Department and LVHN to Kahlon also are public in the file, as well as a few other documents.
“After investigating your reported concern, we have identified that, on numerous occasions, an LVHN affiliated provider accessed your medical record without a business need to do so,” LVHN told Kahlon in the Sept. 19, 2017, letter. “The electronic medical record contains all of your demographic and clinical information.”
According to the complaint that turns up in the August 2018 filing, Kahlon claimed that Chung found his hospital room by looking at his medical records. The complaint says Kahlon called his father, Sucha Kahlon, when Chung first showed up shortly after he was admitted to Lehigh Vallley Hospital in February 2017 and that Sucha Kahlon instructed nurses to keep Chung from the room. Sucha Kahlon asked nurses to call security, but they refused, according to court documents. The nurses “indicated that due to Chung’s power and influence at the hospital, that they could not comply with Mr. Kahlon’s father’s request,” the suit contends.
Kahlon said in the suit that he complained to the staff about Chung at least 30 times after his stay but did not get a response from LVHN until September, five months after he was discharged.
LVHN denied that employees were made aware of the potential problem in February, claiming in court documents that they were not aware of the problem until June.
The relationship between Chung and Kahlon was fraught with contention long before Kahlon was admitted to the hospital.
A separate lawsuit in Lehigh County that recently was settled, shows Kahlon and Chung owned a car dealership in Lebanon County with a third partner. The other two partners sued Kahlon alleging he did not contribute his share of the startup costs and that he altered financial documents to make the company seem more stable than it was. Kahlon denied the allegations.
That lawsuit against Kahlon was filed around the time he was discharged from the hospital in 2017. The terms of the settlement were not disclosed.
Kahlon, in the breach of privacy lawsuit, is seeking an undisclosed amount in damages.
Binghui Huang can be reached at 610-820-6745 and Bhuang@mcall.com