A California healthcare provider has recently notified 149,940 patients that documents containing their protected health information (PHI) were stolen in a break-in at an off-site storage location where patient records were stored.
On March 4, 2022, the provider discovered that six boxes of paper documents were removed from an off-site storage facility without authorization. They immediately began working with local authorities to determine the nature and scope of the event, and were able to confirm that certain limited patient documents were impacted by the theft.
On April 22, 2022, the provider determined that the impacted files related to certain patients served by them in 1997 and between 2006 and 2020. The analysis also revealed that the types of information held by the provider, and which was potentially in the stolen storage containers, may have included names, addresses, dates of birth, and diagnosis codes. They found no evidence that there had been any use or attempted use of the information which was potentially exposed.
On May 3, 2022, the provider began notifying the potentially impacted population. They encouraged the individuals to remain vigilant against incidents of identity theft and fraud, to review account statements and explanation of benefits forms, and to monitor free credit reports for suspicious activity and to detect errors. Affected individuals have also been offered complimentary credit monitoring services.
The provider is reviewing its policies and procedures relating to the storage of paper data.
Compliance Perspective
Issue
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule does not include medical record retention requirements. Rather, CMS and/or State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other PHI for whatever period such information is maintained by a covered entity, including when stored off-site and through the process of secure disposal if retention periods have been met. Entities must also comply with reporting and notification requirements if a breach occurs.
Discussion Points
- Review policies and procedures related to HIPAA and PHI, including secure medical record storage and response to data breaches. Update as needed.
- Train all staff on HIPAA and PHI upon hire, annually, and when any issues arise. Ensure that staff who are responsible for secure storage of medical records, whether in house or off-site, are properly trained to follow and enforce your related policies and procedures, including how to respond should a breach of data occur. Document that these trainings occurred and file the signed training document in the employee’s education file.
- Periodically audit to ensure that appropriate safeguards are in place to protect the privacy of medical records and other PHI, that they are consistently implemented, and that any identified issues are addressed timely and in full compliance with HIPAA requirements.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
