Sacramento – The California Department of Health Care Services (DHCS) has failed to provide a meaningful explanation for its illegal release of the names of some 5,000 HIV-positive Medi-Cal recipients to a third-party service provider, said attorneys at Lambda Legal, the American Civil Liberties Union of Northern California (ACLU-NC), and HIV & AIDS Legal Services Alliance (HALSA). A letter delivered to the agency from the groups today warns that DHCS must immediately act to protect the confidentiality of HIV patients, or face further steps that could include legal action.
DHCS admits to revealing the names and contact information of thousands of Medi-Cal recipients to the AIDS Healthcare Foundation (AHF) between February and December 2009. In a letter sent to the legal organizations on October 4, DHCS claimed that doing so violated no law because it "did not provide AHF with lists of beneficiaries who had tested positive for HIV." Instead, DHCS says it simply "provided AHF with contact information for approximately 5,000 beneficiaries who were eligible" for the disease management program. One of the eligibility criteria for that program, however, was that the Medi-Cal recipients must have been diagnosed with HIV.
"We were expecting a legitimate answer and what we got was a through-the-looking-glass piece of reasoning," said Peter Renn, staff attorney with Lambda Legal. "Releasing names and contact information of people who qualify for an HIV management program is the same as disclosing their HIV status. It's unacceptable and against the law. And it can harm patients, because when people do not have confidence that their privacy will be maintained, they may choose not to seek testing or medical care."
Today's letter reads in part that the groups "are now even more acutely concerned that DHCS will continue to violate the privacy rights of HIV-positive Medi-Cal recipients. If DHCS does not immediately notify us that it is planning on taking the steps to ensure patient privacy that are listed in our September 9 letter, we will need to take additional steps to ensure that DHCS protects Medi-Cal patient privacy in compliance with state law."
"The state stepped out of bounds when it disclosed the confidential records of HIV-positive Medi-Cal patients, even including their contact information," said Elizabeth Gill, Staff Attorney at the ACLU of Northern California. "Medical records contain highly sensitive and personal information, and DHCS had no right to give out that information without people's permission."
Lambda Legal and ACLU of Northern California became aware of the breach during discussions about AB 2590, a bill which aimed to dilute the strong confidentiality protections under California law for those with HIV/AIDS and attempted to legalize the unauthorized release of such information to an HIV/AIDS service provider. Although current law forbids unauthorized disclosures about a person's HIV status, the state agency released confidential identifying information about HIV-positive Medi-Cal recipients without authorization or proper limitations on how that information was to be used by a private organization, AIDS Healthcare Foundation.
The previous letter, delivered on September 9, demanded that DHCS comply with California law and stop releasing information to third-party service providers. It also demanded that the state agency provide a full accounting of exactly what information was released. Lambda Legal, the ACLU, and HALSA also submitted a request under the California Public Records Act requesting documents regarding the release, with any confidential information removed. DHCS missed an October 7 extended deadline to reply to the request for public information.
Letter to CA Dept. of Health Care Services (Oct. 19, 2010)