Investigative

Planned Parenthood has a history of failing to protect patient privacy under HIPAA

Americans are told that abortion is a “right” based on privacy. But when abortion providers like Planned Parenthood violate the privacy of women, abortion-friendly media and politicians are silent.

Planned Parenthood receives half a billion dollars annually from taxpayers and claims the majority of these dollars are Medicaid reimbursements. According to the Centers for Medicare and Medicaid Services (CMS), recipients of government programs that pay for health care, like Medicaid, must comply with the Health Insurance Portability and Accountability Act known as HIPAA.

But is Planned Parenthood following HIPAA laws? Multiple instances of privacy breaches at Planned Parenthood say no.

The latest video released by the Center for Medical Progress (CMP) further confirms what many already know all too well: when it comes to the privacy of abortion patients, Planned Parenthood is anything but trustworthy. Former Stem Express procurement technician, Holly O’Donnell, told CMP that Planned Parenthood revealed private patient medical information to third party contractors at fetal tissue procurement agency StemExpress in order to meet the company’s quotas for harvesting body parts from Planned Parenthood abortions:

O’Donnell said Planned Parenthood staff provided StemExpress contractors with private medical information of pregnant women coming into Planned Parenthood: “We’d go to the head nurse, let the nurses know, hey, this is what I’m looking for today. They’d give you a sheet of the appointments, which women were coming in, and it would tell you how many patients, what time they were coming in, their name, and if they knew how far along they were.”

Clearly, disclosing patient names is a violation of HIPAA.

According to HHS, the Privacy Rule protects all “individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral… Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).”

In 2016, the Washington Times reported, “The day before abortions were scheduled to take place… StemExpress was notified by fax by the clinics and granted medical files on individual patients.” O’Donnell told CMP that Planned Parenthood handed over a list of patient names and other private information to third party contractors before these patients signed a consent to release their personal information.

O’Donnell also reveals that Planned Parenthood gave StemExpress access to patient medical charts and even to the clinics’ computer network to download patient schedules across the entire Planned Parenthood affiliate. Emails from StemExpress management instruct procurement technicians: “EVERY Friday – please provide schedules for all the clinics you work in,” and, “All computers have access to other clinics.”

While this should shock politicians and media alike, tragically, accusations of carelessness and lack of concern for patient privacy at Planned Parenthood is not new.

In September of 2016, Live Action News released a two-part series exposing the way Planned Parenthood and the general abortion industry recklessly handles patient privacy. In those reports were documented case after case where Planned Parenthood was given a slap on the wrist for violating patient privacy — and in the cases reviewed at that time, no civil penalties had been issued.

CMS states that the U.S. Department of Health and Human Services Office for Civil Rights “enforces the HIPAA Privacy, Security, and Breach Notification Rules. Violations may result in civil monetary penalties. In some cases, criminal penalties enforced by the U.S. Department of Justice may apply.”

Breaches expose thousands of individuals

1. Planned Parenthood of Greater Washington and North Idaho (PPGWNI): 10,700 individuals exposed

A review of archived privacy breaches on file with the Office for Civil Rights (OCR), which affect more than 500 patients, reveals that in August 2016, Planned Parenthood of Greater Washington and North Idaho (PPGWNI), reported a breach which exposed 10,700 individuals.

2. Planned Parenthood Southwest Ohio: 5,000 individuals exposed

Another breach report states that on October 1, 2014, Planned Parenthood Southwest Ohio disposed of binders containing protected health information (PHI) for 5000 individuals, including names, dates of birth, lab results, and medications. Exactly what occurred in the privacy breach? Planned Parenthood’s archived prescription dispensing logs and waived lab test logs were left in an unlocked closet after business hours and a custodian mistakenly put them in a trash dumpster. The following morning, the dumpster was emptied by the trash collector, who took it to be buried with other garbage at a landfill that same day. And, as Planned Parenthood often claims it does when it violates government requirements, Planned Parenthood told the OCR that they conducted an investigation and re-trained all staff regarding HIPAA policies and procedures.

3. Planned Parenthood of the Heartland: 2,506 individuals exposed

Still under investigation is a July 2016 breach report reported by Planned Parenthood of the Heartland. This breach for “Unauthorized Access/Disclosure” affected 2,506 individuals. No additional information is available from OCR; however, HIPAA Journal reported the following:

The health center permanently closed its doors to patients this April year and the premises was listed for sale and was sold. However, hard copies of patient files were left in the Dubuque health center. In April 2016, individuals entered the medical center and could potentially have viewed and/or copied patient files. The potential breach was discovered by Planned Parenthood on May 6, 2016. The files have now been removed from the premises and have been secured. Planned Parenthood said this was an isolated incident and is not representative of the stringent privacy standards usually maintained by the healthcare organization.

Health Care Compliance Association summarized another case where Planned Parenthood violated privacy of a patient.  In January 2017, HCCA wrote, “a complaint filed against Planned Parenthood alleged that an employee posted a description of the procedure the individual had performed at the clinic on the individual’s public Facebook page.”

In response, HCCA states, “OCR sent Planned Parenthood the regulatory section on reasonable safeguards
and encouraged it to “assess and determine whether there may have been noncompliance… and if so, to take steps to ensure such noncompliance does not occur in the future.”

Other breaches

In addition to those listed above, the following are known instances of privacy breaches at Planned Parenthood:

  • A California Planned Parenthood patient reported that following her visit, she received two text messages from an anonymous number, reading, “Damn, you have an STD WOW.”
  • A Napa Planned Parenthood receptionist admitted to state officials that she had looked at private patient records because she was curious.
  • Alleged Planned Parenthood patient wrote online, “a worker there told a family member of mine about my privacy.”
  • In 2011, OCR received a complaint alleging that a worker at Planned Parenthood in New York “impermissibly disclosed” the complainant’s health information to her sister’s friend.
  • In 2012, a complainant informed the governing body that she had received a call from Planned Parenthood of Northeast Ohio asking her to contact them regarding recent test results. During the call, it was determined that she was not the correct patient.
  • In 2013, OCR was notified that Planned Parenthood of Delaware violated the Federal Standards for Privacy of Individually Identifiable Health Information.
  • That same year, Melody Meanor, the former Health Center Manager of Family Planning at Planned Parenthood of Delaware in Wilmington went public to expose the center’s privacy policies. A video and transcript of her statement is available online.
  • In 2013, a complaint was filed against a Planned Parenthood in Chicago, Illinois, which alleged that an employee impermissibly disclosed her private health information to a third party on Facebook.
  • complaint received by OCR in 2014 alleged that a Planned Parenthood in Trexlertown, Pennsylvania, violated the Federal Standards for Privacy Identifiable Health Information after sending a bill for a patient to the wrong person.
  • A 2014 complaint filed with the Texas Medical Board by former Planned Parenthood director, Abby Johnson, alleges that a Texas Planned Parenthood e-mailed their abortionist the ultrasound information of their patients — but not in encrypted form.
  • TAB, a records management company working with PPFA for over a decade, identified what they called “some serious problems” with the records of Planned Parenthood of Illinois, which oversees 17 branch locations.

In CMP’s video interview, O’Donnell tells David Daleiden that she has witnessed her colleagues log onto Planned Parenthood’s computers. O’Donnell provided copies of e-mails to CMP to support her claims.

“They would let us look at the physical charts outside the room,” O’Donnell stated, claiming that she was even asked to write in a Planned Parenthood patient’s chart, which she says she refused to do.

So much for privacy at Planned Parenthood.

Comments
To Top