A Portland official acknowledged Tuesday that the city did not initially follow proper protocols before sharing the protected personal health information of more than 200 HIV-positive patients with researchers at the University of Southern Maine.

“Although USM’s researchers’ original written assurance that they would protect such information did not include all of the language required in a HIPAA business associate agreement, the city and USM promptly corrected that technical deficiency by executing a fully HIPAA-compliant business associate agreement,” City Hall Communications Director Jessica Grondin said in a written statement Tuesday evening.

Two former patients at a city-run clinic and two doctors who worked there have accused the city of violating the Health Insurance Portability and Accountability Act, or HIPAA, which is intended to protect the privacy of personal health information. Their accusation stems from the fact that the city did not get written permission from patients before sharing their names and contact information with researchers.

The two doctors at the India Street Public Health Center also criticized the city’s response to the concerns of patients who received care at the city-run clinic. And a former patient, who is part of a group overseeing the USM survey, pushed back against the city’s assertion that the group was fully informed of the city’s plans to pass the patient information to researchers.

Earlier Tuesday, Grondin said city attorneys had advised staff – including Julie Sullivan, an adviser to the city manager and the city’s former public health director who oversaw the process, and Dr. Kolawole Bankole, the city’s current public health director who is also a member of the Muskie School’s Public Health Adjunct Faculty – to not give interviews.

“We are not going to do interviews,” Grondin said then. “The information we sent you speaks for itself.”


Grondin brushed off a reporter’s request for the names of the city employees who created the list of patient information and gave it to USM so they could conduct a survey of former HIV patients at the city’s health center. The survey is designed to get feedback about each patient’s experience in finding new medical providers after the city closed its Positive Health Care program last year.


Mayor Ethan Strimling said he supports the survey, but wants to ensure that the patients’ concerns are being addressed. He also is interested in seeing new policies and procedures the city says it adopted after the backlash from patients.

“I feel like doing the survey was very important,” Strimling said. “I want to find out what happened to the patients who were there. I hope we can figure out a way to make this work for the patients and the researchers going forward.”

Former patients were first notified of the survey in a Nov. 3 letter from USM, which indicated that researchers received their contact information from the city. A USM official said in an interview that the institution received the information in October, after its institutional review board had established guidelines for handling and protecting the information.

The city suspended the survey after receiving two formal complaints, one of which was filed Nov. 11. After an investigation, the city entered into a new agreement with USM that included additional privacy protections. The survey is now moving forward and is expected to be finished in January, city officials said.


City Councilor Belinda Ray, who leads the council’s Health and Human Services Committee, which will review the survey results, did not respond to a request for comment Tuesday.

In a letter sent to patients Nov. 11, Bankole said the HIPAA law allows the city to share protected health information without patient consent for the purposes of research or program evaluation, provided that researchers ensure the confidentiality of that information and do not identify any patients in subsequent research reports.


Patient privacy violations under HIPAA can be costly. The U.S. Department of Health and Human Services, as well as state attorneys general, have authority to investigate improper disclosures, negotiate settlements and impose civil or criminal penalties. The severity of those penalties depends on the nature and circumstances of the violation.

In February, the DHHS Office for Civil Rights fined Children’s Medical Center of Dallas $3.2 million after someone stole unencrypted mobile devices containing information on more than 6,000 patients. In another case, St. Luke’s-Roosevelt Hospital in New York was fined $387,000 in May for disclosing protected information about an HIV patient to the patient’s employer.

The incident in Portland reopened old wounds caused by the city’s decision to transition a federal grant for the Ryan White HIV Positive Health Care, which served many LGBT patients, to the Portland Community Health Center, which is now Greater Portland Health. In hours of public testimony, patients pleaded with councilors to preserve the clinic, but the council moved forward with the plan last year. A city analysis showed that only 33 of the 229 patients moved to Greater Portland Health, which was fewer than expected.


Two former doctors at the city clinic said they had previously warned the city that creating a list of patient names and contact information would be a breach of privacy.

Dr. Caroline Teschke, the former program manager at the clinic, said the federal agency that funded the Ryan White Program a few years ago required the city to get written consent from each patient before reporting individual data to the federal agency. Before that change, the agency only collected aggregate data that did not identify patients, she said.

“They were absolutely adamant that we obtained consent from every single person in the program,” Teschke said. “The consent had to be written in such a way that patients knew exactly what was entailed before their information was released. It was time-consuming, but we did it. In addition, a standard consent form always spells out in very specific terms what may or may not be released, and individuals have a right to exclude certain information if they so wish.”

USM Assistant Provost of Research Ross Hickey said USM researchers who received the initial list of patient names and contact information were under the impression that the patients had authorized the release of their information.

Hickey did not respond to questions Tuesday about why the university believed patients had consented to the release of their information and how USM received the patient information: by email, certified mail or another means.

After the city received complaints, it suspended the survey. It then entered into a business associate agreement with USM, which is one of several ways to share patient information without consent, according to a summary of privacy protections posted by the federal DHHS.


The city’s letter to patients contained an apology for not doing more to inform patients about the survey ahead of time. It also noted that the city was “implementing new and updated policies and procedures for ensuring that our health care entities and programs better communicate with patients regarding uses and disclosures of their patients’ (protected health information) for these types of research, program evaluation and business associate-related purposes going forward.”


The city would not provide a copy of the old and new policies and procedures when asked Tuesday. Nor did it provide blank consent and release forms that patients at the HIV clinic may have been asked to sign.

Meanwhile, Teschke and Dr. Ann Lemire, the clinic’s former medical director, said that the city’s letter, which is loaded with legal terminology, only made “a bad situation worse.”

“Once again they have violated the patients’ integrity with their lack of respect by sending this letter that no one will understand,” Lemire said. “I hope that people will feel free to contact the Attorney General’s Office for a solid opinion and not rely on those proposed in this letter.”

A spokesman for the AG’s Office said Tuesday that it could not immediately answer questions about the circumstances under which an institution can share health information with researchers without a patient’s consent, and whether the rules were different for sexually transmitted diseases, such as HIV.


Lemire, who said she refused to provide the list when asked six weeks ago, said the city should have been extra careful with the HIV patient information because it was a relatively small group. “No institution worth its salt would do research without an updated consent on what the research was, how it would impact the patient (both privacy-wise and participation-wise) and by what means would the results be shared with the participants,” she said in an email.


A member of the city’s Patient Advocacy Committee also pushed back against the city’s response Tuesday.

Jenson Steel, a former patient at the city clinic and committee member, said Sullivan, the city’s former public health director, told the committee Aug. 29 that the city would be mailing the surveys, not USM, in order to protect patient privacy.

Grondin said that wasn’t the case.

“USM was at the meeting we had with the PAC – and we spoke clearly about what the process would be,” she said. “We asked explicitly about how to contact people in the hour-and-a-half meeting that was held. We have kept the PAC informed all along.”


Steel said he would “testify in court” that Sullivan assured the group that the city would be mailing the information to patients. He sent an email to Grondin on Tuesday afternoon, seeking an apology.

“I specifically voiced that the mailing has to come from the city or there would be repercussions from the patients,” he said, adding that he was upset that the city was trying to “discredit a displaced patient who was trying to help.”

“They can dispute it all they want,” he said.

Randy Billings can be contacted at 791-6346 or at:

[email protected]

Twitter: randybillings

Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.