Sunday, November 21, 2010
2010.11.20 - filed complaint with California Department of Insurance
My last resort before proceeding with a costly legal battle. The entire complaint can be viewed here.
Thursday, November 11, 2010
2010.11.11 - consulted an attorney
Spoke to a very sharp-sounding and supportive attorney at Just Health and Family Law. She seems to agree that a "strongly worded" letter to Delta's legal department could very likely preclude the need for an actual lawsuit. The fees seem reasonable and I will probably move forward in a day or so.
2010.11.11 - requested assistance from CA insurance commissioner
Submitted to https://interactive.web.insurance.ca.gov/contactCSD/ContactUs.jsp
Contact Information Confirmation | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Congratulations! Your inquiry has been successfully submitted and a representative from the Department will be contacting you. The following information has been submitted to the California Department of Insurance.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Thursday, November 4, 2010
2010.11.4 - sent letter to Delta legal department
After Peg Esteves stated that the DMHC and HIPAA specify retention policies of seven and six years, respectively, I investigated this and found that neither is the case. I contacted Peg Esteves to let her know, and she reiterated that the best thing to do would be to send a follow-up letter to Delta's legal department.
I mailed this letter to the legal department, and sent a copy to Peg as well.
I mailed this letter to the legal department, and sent a copy to Peg as well.
2010.11.4 - spoke with Peg Estaves at Delta Dental
I called Delta Dental again, just now, hoping to speak to someone more sane and level-headed than Jessica Austin. The initial representative almost instantly came across as sort of blunt and confrontational, which gave me an unsettling feeling. I thought, "are all Delta's employees just crazy?"
However, that rep transferred me to her supervisor, Peg Estaves, who was so much more helpful than Jessica. Instead of just telling me "we can't remove your information", she cited a specific six year retention policy within HIPAA, as well as an even longer seven year retention policy that was mandated by none other than the DMHC.
Peg even told me I could write to Delta's legal department if I had further concerns!
I thanked Peg profusely for being so helpful, and I will now attempt to verify the seven year requirement with the DMHC.
However, that rep transferred me to her supervisor, Peg Estaves, who was so much more helpful than Jessica. Instead of just telling me "we can't remove your information", she cited a specific six year retention policy within HIPAA, as well as an even longer seven year retention policy that was mandated by none other than the DMHC.
Peg even told me I could write to Delta's legal department if I had further concerns!
I thanked Peg profusely for being so helpful, and I will now attempt to verify the seven year requirement with the DMHC.
2010.11.4 - called Jessica Austin at Delta Dental
Around 11AM, I called Jessica Austin at 877.335.8273 x2203. I explained to her my findings regarding the sections of Title 45 which Delta had cited in their response to my DMHC complaint. I asked her why Delta was refusing to remove my information. Just like last time, she spoke to me very vacantly, refusing to acknowledge my question of why Delta was refusing to remove my information.
Jessica made several assertions which seemed to have been fabricated on the spot. For instance, she told me that I should be dealing with the DMHC, not Delta Dental. I told her that I had already called them, and attempted to explain to her that the DMHC only deals with Knox-Keene compliance, so Delta's claim about Title 45 was outside the DMHC's jurisdiction. But Jessica cut me off and asserted that the DMHC deals with all regulation of health plans.
Once I finally was able to explain to her that Title 45 was outside the DMHC's jurisdiction, Jessica said (paraphrasing), "well then it's outside of our jurisdiction too." I told her that didn't make sense, since Title 45 was the actual legislation that Delta Dental cited in their response to my DMHC complaint!
Jessica repeatedly said things like, "I don't know what you want me to tell you", or "I've answered your question -- we are unable to remove your information from our records." Just like in our last phone "conversation", I repeatedly told her that my question was why they "could not" remove my information. She continually asserted that she had done all she could do and did not want to "argue" with me. She refused to actually answer my very straightforward questions.
Eventually Jessica put me on hold for about two minutes, then came back on and reiterated what she had said, and then told me she was going to disconnect the call, then wished me a happy holidays, then hung up.
Jessica made several assertions which seemed to have been fabricated on the spot. For instance, she told me that I should be dealing with the DMHC, not Delta Dental. I told her that I had already called them, and attempted to explain to her that the DMHC only deals with Knox-Keene compliance, so Delta's claim about Title 45 was outside the DMHC's jurisdiction. But Jessica cut me off and asserted that the DMHC deals with all regulation of health plans.
Once I finally was able to explain to her that Title 45 was outside the DMHC's jurisdiction, Jessica said (paraphrasing), "well then it's outside of our jurisdiction too." I told her that didn't make sense, since Title 45 was the actual legislation that Delta Dental cited in their response to my DMHC complaint!
Jessica repeatedly said things like, "I don't know what you want me to tell you", or "I've answered your question -- we are unable to remove your information from our records." Just like in our last phone "conversation", I repeatedly told her that my question was why they "could not" remove my information. She continually asserted that she had done all she could do and did not want to "argue" with me. She refused to actually answer my very straightforward questions.
Eventually Jessica put me on hold for about two minutes, then came back on and reiterated what she had said, and then told me she was going to disconnect the call, then wished me a happy holidays, then hung up.
2010.10.28 - checked in with DMHC
Contacted Laurenne Brown at the Department of Managed Health Care, at 888.466.2219 at 1PM on 2010.10.27, and the man I spoke with left a message for her to call me back within “24-48 hours”.
Laurenne called me at 11:10AM on 2010.10.28 Thursday and explained that there was nothing they could do because their jurisdiction is the Knox-Keene Act, which is separate from Title 45.
Laurenne called me at 11:10AM on 2010.10.28 Thursday and explained that there was nothing they could do because their jurisdiction is the Knox-Keene Act, which is separate from Title 45.
2010.10.25 - DMHC sent response to complaint
Received this letter, which essentially just forwards Delta Dental's response. The letter contains this:
Delta is legally required to hold original records regarding communications and any actions or activities for six years from the date of creation. The law which stipulates this can be found in Title 45, Code of Federal Regulations, section 164.316(b)(2)((i)), which states that a covered entity must "retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later."
But this law only pertains to documentation that the insurance company is complying with standards, e.g. “those factors specified in 164.306(b)(2)(i), (ii), (iii), and (iv)”. Those are:
(2) In deciding which security measures to use, a covered entity must take into account the following factors:
(i) The size, complexity, and capabilities of the covered entity.
(ii) The covered entity's technical infrastructure, hardware, and software security capabilities.
(iii) The costs of security measures.
(iv) The probability and criticality of potential risks to electronic protected health information.
The section cited in the letter, which cites these four factors, is:
164.316 - Policies and procedures and documentation requirements.
A covered entity must, in accordance with 164.306: (a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart.
(b)(1) Standard: Documentation. (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) If an action, activity or assessment is required by this sub-part to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. [I, Clay Shentrup, note that there is nothing in here about storing my actual personal information.]
(2) Implementation specifications: (i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later.
My assessment is that:
- This law only requires documentation of compliance with certain specific security and privacy regulations, not documentation of all correspondence regarding every member.
- Even if it did require documentation of all correspondence pertaining to members, that could be as simple as a record like "Received patient's initial registration paperwork." That is, documentation of correspondence does not inherently mean documentation of the full contents of that correspondence. This law says absolutely nothing about documenting the full contents of anything.
Subscribe to:
Posts (Atom)