A Georgia hospital recently underwent a thorough clearance in anticipation of new ownership. However, personal information, medical records, and even biohazardous waste were strewn about on the hospital’s front lawn.
The hospital had recently been sold to a buyer from a different city. The hospital was then emptied of its contents, but patient medical records—ranging from blood transfusion records to x-rays and medication logs—were left behind. Some of the X-rays scattered on the lawn were traced back to the former mayor’s family. An application for employment containing a social security number was discovered in the pile.
The hospital’s doors were also left unlocked, making the building accessible to anyone. Inside, shards of glass, empty vials, and signs of building damage were evident.
Local residents expressed their concerns about privacy and safety. The current mayor acknowledged the situation, but said he’d faced language barriers when trying to communicate with the workers involved. He said his office was trying to contact the new owner to make them aware of the situation.
The incident highlights the importance of safeguarding sensitive data and maintaining proper disposal protocols, especially when transitioning ownership of healthcare facilities.
Compliance Perspective
Issue
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires that facilities apply appropriate administrative, technical, and physical safeguards to protect the privacy of PHI in any form. This means facilities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. Facilities may, but are not required to, hire a business associate to appropriately dispose of PHI on their behalf. In doing so, the facility must enter into a contract or other agreement with the business associate that requires the business associate, among other things, to appropriately safeguard the PHI through disposal. For example, a facility may hire an outside vendor to pick up PHI in paper records or on electronic media from its premises, shred, burn, pulp, or pulverize the PHI, or purge or destroy the electronic media, and deposit the deconstructed material in a landfill or other appropriate area.
Discussion Points
- Review policies and procedures related to HIPAA and PHI, including proper disposal of such information. Update as needed.
- Train all staff on HIPAA and PHI upon hire, annually, and when any issues arise. Ensure that staff receive training on the disposal policies and procedures as necessary and appropriate for each member of staff. Any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. Document that these trainings occurred.
- Periodically audit to ensure that appropriate disposal policies and procedures are in place to protect the privacy of medical records and other PHI, that they are consistently implemented, and that any identified issues are addressed timely and in full compliance with HIPAA requirements.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
