A Michigan healthcare provider was accused of leaving behind boxes of confidential patient files in a decommissioned hospital. When the provider opened a new state-of-the-art hospital, it closed two older facilities. Used office furniture, electronics, medical equipment, and more items no longer needed at the new facility were left behind. The provider decided to auction off the items and gave the public an opportunity to inspect them before they went up for sale.
A man who attended the April 19th preview at one of the facilities said he found several boxes containing patient files. He took pictures and a video and sent them to a local news station. The pictures showed a patient name, address, phone numbers, and other medical information.
When confronted by the news station, the provider issued a statement which said that when they began the transition to the new building, they had undertaken a massive data destruction effort to ensure the old patient records and legal and business records were purged. They said that they had enlisted a third party to administer an auction for their unused equipment and furniture. During a controlled preview of the items to be auctioned, an individual had apparently gained access to the documents that weren’t yet destroyed, took pictures and a video, and shared the information with the media.
The provider also said in their statement that they were conducting a comprehensive investigation into how an individual was able to gain access to the documents, and that they would fully comply with any regulatory requirements that resulted from the investigation, such as notifying the patients involved and providing protection. They said they were taking additional measures to ensure all documents which needed to be destroyed were locked in secure areas and that they would immediately purge any remaining materials.
Compliance Perspective
Issue
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires that facilities apply appropriate administrative, technical, and physical safeguards to protect the privacy of PHI in any form. This means facilities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. Facilities may, but are not required to, hire a business associate to appropriately dispose of PHI on their behalf. In doing so, the facility must enter into a contract or other agreement with the business associate that requires the business associate, among other things, to appropriately safeguard the PHI through disposal. For example, a facility may hire an outside vendor to pick up PHI in paper records or on electronic media from its premises, shred, burn, pulp, or pulverize the PHI, or purge or destroy the electronic media, and deposit the deconstructed material in a landfill or other appropriate area.
Discussion Points
- Review policies and procedures related to HIPAA and PHI, including proper disposal of such information. Update as needed.
- Train all staff on HIPAA and PHI upon hire, annually, and when any issues arise. Ensure that staff receive training on the disposal policies and procedures as necessary and appropriate for each member of staff. Any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. Document that these trainings occurred.
- Periodically audit to ensure that appropriate disposal policies and procedures are in place to protect the privacy of medical records and other PHI, that they are consistently implemented, and that any identified issues are addressed timely and in full compliance with HIPAA requirements.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*