The Michigan Department of Community Health is investigating whether private health information pertaining to thousands HIV-positive residents and their partners was improperly released, documents obtained by The American Independent show. According to a spokesperson, the department does not currently believe an “unauthorized disclosure of health information” occurred, but the investigation is ongoing.
“While we cannot comment on the specifics of the current internal investigation, at this point in time we do not believe there has been an unauthorized disclosure of health information. However, if we thought there had been an unauthorized disclosure, we would have immediately started taking steps to notify any potentially affected individuals,” wrote Angela Minicucci, spokesperson for MDCH in an April 20 email to The American Independent. “At this time that’s all I can share with you without delving into further specifics and potentially comprising the investigation.”
Minicucci reiterated this information in a second email on April 20.
“I do want you to keep in mind what I mentioned earlier and to understand that the investigation is not complete,” Minicucci wrote. “That said, at the point we are currently at, we do not believe that an unauthorized disclosure has taken place.”
Michigan maintains confidential records in its HIV Event System, which permanently stores information about people who have tested positive for HIV, including names, other identifying information, and demographic information.
The documents describing the investigation, released in response to a Michigan Freedom of Information Act request, show the department has been looking into a series of incidents in which thousands of emails were allegedly forwarded from department accounts to outside email addresses.
One document indicates that a database containing “protected health information on approximately 3,800 people with HIV and 2,100 partners” may have been released. According to that document, however, the database did not contain any names.
The documents do not make clear what exactly was contained in that database. In a phone interview with TAI, Minicucci said the department is certain the database did not contain names, dates of birth, or Social Security Numbers. Those three items, she said, were “key private health information identifiers.”
TAI asked Lance Gable, a professor at Wayne State University Law School who specializes in health issues, to review the documents obtained by TAI.
“Whether the database in question contained sufficient information to violate [federal health information privacy laws] HIPAA [and] HITECH, and state laws related to preventing unauthorized disclosure of HIV information will depend on what information is actually in the database,” Gable told TAI. “Removal of names does not necessarily mean that the data have been de-identified. A person may be identified through other data. However, until there is more information, I do not feel comfortable assessing whether the MDCH conclusion is reasonable or not."
Documents show the department’s investigation, which is being conducted in conjunction with the state Attorney General’s office, could result in criminal charges. Michigan law has a strict confidentiality provision related to HIV information. The law, MCL 333.5131, specifically outlines when and where such information can be revealed. Revealing that information in violation of the act is a misdemeanor, with punishments of up to one year in jail and/or a $5,000 fine. That law is repeatedly referenced in the documents describing the investigation.
The department declined to release some documents to TAI, saying that releasing them would interfere with the investigation into the “alleged wrong disclosure” of information protected by state law. Some documents were withheld because they were considered to be subject to attorney-client privilege.
In addition, investigators are reviewing possible violations of the confidentiality agreements employees of MDCH sign. Those agreements read, in part:
“The misuse or removal of confidential information from the premises of DHWDC [Division of Health, Wellness and Disease Control] by an employee or staff member, except with prior written authorization of the Division Director and as necessary in the performance of a duty related to the services of DHWDC shall be grounds for immediate discharge.”
A March 12, 2012, email from Mikelle Robinson, a department employee, summed up the results of a report provided by Kerie Hughes, the technical services manager for the Michigan Public Health Institute, a state contractor. That report was the result of a review of thousands of emails to determine what if any private health information was released. The Robinson email references information contained in the emails relating to the case of a Grand Rapids-area man who has been charged with failing to disclose his HIV status to two sex partners. The man allegedly admitted to police that he had attempted to infect hundreds of people through unprotected sex and needle sharing. Robinson states that the suspect’s information was included, but correctly notes that the information had already been shared in the media.
The email then referenced the database described as containing “protected health information.”
“The only other issue was the database that had protected health information on approximately 3,800 people with HIV and 2,100 partners,” Robinson wrote to Jean Chabut, deputy director for MDCH’s Public Health Administration, and Matthew Rick, director of the MDCH Office of Legal Affairs. “However there were no names used. Codes were utilized for each person and there was no key. One of the things she [Hughes] said though is that there is physician information and locations listed. Do you think that this would be a breach of protected information if there are no names in the database?”
According to Minicucci, the investigation into the potential release of private information is part of a larger internal investigation being conducted within MDCH.
TAI requested the documents after being informed on March 28 of an “on-going internal investigation” at the department. At the time, Minicucci cited the investigation as the reason MDCH was unable to answer questions about the department’s decision to cut and then restore funding to an AIDS services organization in Flint.