The ACLU and two AIDS advocacy groups claim the state’s Medi-Cal program illegally disclosed the names and contact information of about 5,000 AIDS patients.
The state health insurance program acknowledges that it provided patient names, addresses and phone numbers to an AIDS treatment organization in Los Angeles, but said that group had contracted with the state in 2007 to serve those patients.
But ACLU attorney Elizabeth Gill characterizes the sharing as a privacy breach that violates California law [PDF] requiring civil and criminal penalties for disclosing the results of an AIDS test, an act the ACLU claims the state committed [PDF].
“The department’s action here is illegal and unethical,” Gill said.
A complaint letter about the disclosure was sent yesterday to state authorities by the ACLU, Lambda Legal, and the HIV and AIDS Legal Services Alliance. The groups have demanded an explanation from the state for why the information was shared.
Norman Williams, spokesman for the Department of Health Care Services, said Medi-Cal entered into a "business associate agreement" with the nonprofit conducting patient outreach, binding it to follow all state and federal standards. What's more, he said, the state agency did not disclose the health condition or any medical claims data about any patient.
Although the ACLU did not accuse the organization that received the information of any wrongdoing, a spokesman for the contractor, the Los Angeles-based AIDS Healthcare Foundation, defended the state's decision to share patient information for a pilot project meant to improve HIV/AIDS patient care.
Spokesman Ged Kenslea said the ACLU’s concerns about privacy are eclipsed by the life-or-death importance of ensuring patients get appropriate care and medications.
“If we are sacrificing California AIDS patient health on the alter of privacy, then we’ve gone too far,” said Kenslea, communications director for the foundation.
This year, the AIDS Healthcare Foundation had sponsored the bill by Assemblywoman Bonnie Lowenthal, D-Long Beach, which would have empowered the Medi-Cal agency to give the foundation's staff all the information it needed to identify HIV/AIDS patients.
According to an analysis of the bill, the foundation entered into a $1 million contract in 2007 with Medi-Cal to provide disease management to HIV and AIDS patients, meaning it would conduct outreach, coordinate care and provide education.
However, after finding that some patient addresses were listed as "lives in car," the foundation was only able to reach about 400 patients and enroll 150 in the program, according to the bill analysis and interviews.
As such, the foundation sought legislation to enhance the state’s ability to share information with the contractor, after getting consent from patients. The bill died in committee.
The ACLU learned of the data disclosure during discussion about the bill, and the organization balked.
Gill said an established body of research shows that people are less likely to seek HIV testing or treatment if they fear that their condition will be exposed. She also said state law clearly prohibits unauthorized disclosure of personally identifying information about AIDS patients.
Kenslea, of the foundation, said his organization is sensitive to patient confidentiality and takes strides to protect it. Nevertheless, the state contract with the AIDS Healthcare Foundation is no longer in place, Williams said.
A copy of the ACLU, Lambda Legal and HIV and AIDS Legal Services Alliance letter: