For years, the Oklahoma State Department of Health (OSDH) has collected Oklahomans’ personal medical information via patient-discharge data.
An agency spokesperson has acknowledged that practice has been in place for years.
But when an open-records request asked if the Oklahoma State Department of Health sells that data to third parties, the agency’s tune changed. The agency’s open-records division now claims there is no patient data being collected.
The OSDH’s collection of patient data, combined with its schizophrenic responses regarding uses of that data, are cause for alarm, according to Dr. Keith Smith, co-founder of the Surgery Center of Oklahoma and a member of the board of trustees of the Oklahoma Council of Public Affairs (OCPA).
“They have collected patient information without the statutory authority to do so for years,” Smith said. “And citizens have reason to wonder if any state agency is then selling this information to vendors who are unknown to the taxpayers. If so, that agency’s budget should at the very least be adjusted to the extent that this betrayal of Oklahomans’ confidential information generates revenue for them. Oklahomans should know to whom information is sold and the revenue generated.”
Smith and officials at the Surgery Center of Oklahoma have long fought state demands for patients’ personal data.
In 2003, the center successfully fought against an OSDH demand for the facility’s patient discharge data, noting that the law cited by the agency did not include entities like the Surgery Center of Oklahoma. OSDH officials eventually relented, acknowledging that officials at the Surgery Center were correct.
But the OSDH again demanded that the center hand over patient information this year, citing changes in state law enacted in 2022. However, officials with the Surgery Center noted that the changes made to state law did not alter the language determining which entities are required to report patient information to the state and said the Surgery Center remains exempt.
In a Feb. 1, 2024 letter sent to the OSDH, an official representing the Surgery Center highlighted that fact and stressed that doctors have an ethical and legal obligation to keep patient information confidential.
The letter noted that the Surgery Center of Oklahoma is “owned by physicians, all of whom have an obligation to maintain patient confidentiality in the absence of the express consent of the patients to submit their confidential information to third parties. We do not have consents of that nature from our patients.”
In a March 29 response to a request for comment, Erica Rankin-Riley, public information officer at the Oklahoma State Department of Health, defended the agency’s practice of collecting patient data from medical providers.
Rankin-Riley said hospital discharge data has been reported to the state since 1992 and that the Oklahoma State Department of Health has been tasked with that assignment since 1998.
“We originally collected only Inpatient and Outpatient Surgery Hospitalizations (aka encounters or discharges),” Rankin-Riley said. “We were directed to expand collection to include free standing Ambulatory Surgery Center discharges and most recently in 2020 Emergency Department discharges.”
Rankin-Riley said the agency posts the patient data collected from medical providers to OK2SHARE, the agency’s web-based data query system, “which allows users to generate aggregate statistics from the data.” That data is also used to create a public use data file (PUDF) for four datasets: inpatient, hospital-based outpatient surgery, ambulatory surgery centers, and emergency rooms.
“The public files contain patient level data but considerable efforts are taken to ensure that individual patients are not identified in the PUDF,” Rankin-Riley said. “Public files are designed to provide public health personnel, purchasers, payers, providers, consumers, and researchers useful information to make informed decisions. The PUDF is available for purchase and does require a data use agreement to gain access.”
However, the agency provided a very different answer—one almost the direct opposite of Rankin-Riley’s statement—in response to an open-records request.
On March 4, 2024, the Oklahoma Council of Public Affairs submitted an open-records request to the OSDH asking for the total number of patients from all facilities whose information has been provided to the Oklahoma State Department of Health from 2020 to today, whether patient information was shared with third parties, and if that information was provided for sale how much revenue the agency generated from third-party purchases of Oklahomans’ medical information.
OSDH did not respond to that request until July 18, more than four months later. When the agency did respond, the associated email declared, “Please be advised OSDH / Medical Facilities does not obtain patient records. Thus we will not be able to locate and provide any related documents requested.
“We will consider this matter closed.”
In addition to questions about the legality of state collection of Oklahomans’ medical data and the ethics of selling that information to other entities, the practice also raises concerns about security.
Lax security practices at the OSDH have previously resulted in numerous Oklahomans having their personal information stolen.
In 2011, the laptop of an Oklahoma State Department of Health employee was stolen from the employee’s car, and the agency had to notify nearly 133,000 individuals that their protected health information may have been compromised. The information stolen included individuals’ names, addresses, Social Security numbers, medical information on birth defects, birth weight, test results, tribal membership, and limited medical diagnoses. Reportedly, the information was not encrypted.