Dedicated to providing the latest
HIPAA compliance news

Allina Health System Alerts 6,000 About Improper PHI Disposal

Share this article on:

The Minneapolis Isles clinic run by Allina Health System has notified approximately 6,000 patients of a breach of their Protected Health Information (PHI).

The clinic, located at 2800 Hennepin Avenue, discovered instances of improper PHI disposal had occurred after documents containing sensitive information were found in regular trash. HIPAA rules require all documents containing PHI to be rendered unreadable, indecipherable, and incapable of being reconstructed prior to disposal.

The HIPAA breach is not understood to have resulted in any patient health information being viewed by unauthorized individuals, although the clinic is unable to guarantee that to be the case.

According to a statement released by Allina Spokesman, David Kanihan, the incident is considered only to be a “technical breach of unsecured protected health information.” Because a risk does exist, out of an abundance of caution Allina Health System will be offering all affected patients a year of credit monitoring services without charge.

The data potentially exposed include names of patients, their mailing addresses, dates of birth, health plan details, medical record numbers, the last four digits of Social Security numbers, and some clinical information. However, since some health plans use members’ full social security numbers as their health insurance IDs, a limited number of patients have potentially had their full SSN exposed.

Improper Disposal of PHI Potentially Dates Back to April, 2015

 

The improper dumping of PHI was discovered on October 27, 2015. While hospital policies required documents containing PHI to be disposed of in secure shredding bins, some had been placed in containers that were emptied into regular trash dumpsters. Those dumpsters were private and only used by the clinic and were not accessible to the public. The dumpsters were located in a locked garage within the clinic grounds. Trash was collected weekly and taken to a garbage processing facility run by the city. The trash was subsequently sent for incineration.

An investigation revealed that the improper dumping of PHI potentially dated back to April 6, 2015, although that only occurred “in limited circumstances.” It is unclear how many patients were actually affected by the breach, as it was impossible to determine which patients’ information were listed on the improperly trashed documents.

In order to ensure that all patients affected by the improper PHI dumping received a breach notification letter, Allina Health System made the decision to send letters to all patients who visited the clinic between April 6, and October 27. It is probable that only a small percentage of those 6,000 patients had their PHI exposed.

The only patients that would have been affected are those that had their PHI printed on documents. This was not something that happened with every patient according to Kanihan. Most members of staff were also aware about the rules covering PHI disposal and would have placed the documents in the correct containers, further reducing the number of patients likely to have been affected.

To reduce the risk of further incidents such as this occurring in the future, Allina Health System has replaced its refuse bins with containers that have been clearly marked for shredding. Clinic staff members have also been retrained on the importance of using the correct bins for any documents containing patient PHI.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On