Health IT

By Alice Lipowicz

Blog archive

Kaiser official defends security practices for veterans health data

In the last several days, I have read a news article and a blog post that raise questions about Kaiser Permanente’s privacy and security policies regarding the medical records of its patients — including the records of about 450 veterans participating in a Kaiser/Veterans Affairs Department health data exchange pilot program in San Diego.

The articles suggest that Kaiser handles patient data security differently, and possibly more daringly, than other health plans.

I spoke with Dr. John Mattison, chief medical information officer for Kaiser Permanente Southern California, about the situation. He told me Kaiser uses a comprehensive system of privacy and security based on compliance with the Health Insurance Portability and Accountability Act and all applicable laws. The system includes using role-based access privileges like most other health systems, and Kaiser has been performing algorithmic surveillance of the systems to detect anomalies that could indicate unauthorized access, he said.

“We do not allow everyone to see everything,” Mattison said today. “We allow access based on roles — which include receptionist, medical assistant, quality assurance officer, coding or billing officers. We have security profiles, and you can only see what is allowed for that role.”

Typically, health systems have about 40 to 2,000 different user profiles and corresponding levels of access in their systems, Mattison said. Kaiser’s number of roles “is in the middle of that range.”

“We are using the same restrictions as the rest of the industry, and we are pretty much in the middle of the industry for integrated organizations,” Mattison said. Also, Kaiser is forging ahead in deploying its surveillance software to better detect anomalies, he added.

As for suggestions that Kaiser’s security is more “daring” than other health plans, Mattison disagreed with that assessment. “There are some false assumptions underlying that premise,” Mattison said.

The veterans who are sharing data with Kaiser through the Nationwide Information Health Network (NHIN) should be confident that their data is secure, Mattison said. That is because all of the NHIN’s stringent security and privacy protocols are being followed, he said. He noted that Kaiser and veterans health facilities have been exchanging records for many years in a paper format by mail. The paper records pass from mail room to mail room, with numerous clerks involved.

“Your records are more secure in being exchanged through the NHIN than through the U.S. mail,” Mattison said.

Posted by Alice Lipowicz on Mar 05, 2010 at 12:14 PM

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • Shutterstock imag (by Benjamin Haas): cyber coded team.

    What keeps govtech leaders up at night?

    A joint survey by Grant Thornton and PSC found that IT stakeholders in government fear their own employees and outdated systems the most when it comes to cybersecurity.

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

Reader comments

Fri, Mar 12, 2010

The VA needs to re-evaluate their data sharing agreement with Kaiser Permanente. Two of Kaiser Permanente's top doctors were quoted by reporters making undeniably contradictory statements about how Kaiser Permanente manages user access to sensitive information that Kaiser Permanente is required to safeguard. Kaiser's renowned public relations area then quickly stepped in (assigning a VP whose title includes "Incident and Brand Management") who quickly claimed there was no contradiction and nothing to worry about. Yeah, right. I believe it is imperative the VA use this information gleaned during this data sharing "pilot" and demand a complete audit showing the actual security practices at Kaiser Permanente.

Fri, Mar 5, 2010

Wow... this is a completely different from what Eric Liederman, MD, Kaiser Permanente's director of medical informatics said at HIMSS earlier this week. Just a few days ago Dr. Liederman was quoted by journal Health Data Management about the very risky approach that Kaiser was taking. Here's a link to that article: So, which one of these two "spokesmen" for Kaiser is telling the truth?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group