HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

2,859 Patients Impacted by Improper Disposal at St. Thomas Rutherford Hospital

This month, North Dakota Department of Human Services and Texas Health and Human Services have both reported that patients’ protected health information has been disposed of improperly. Today, another HIPAA-covered entity – Saint Thomas Rutherford Hospital in Murfreesboro, TN – has reported a similar incident.

Documents containing the protected health information of almost 3,000 patients were discovered to have been abandoned by the side of a remote, rural road in DeKalb County in April. The documents were discovered by a member of the public.

Upon being notified of the discarded reports, St Thomas Rutherford Hospital immediately launched an investigation but it is currently unclear how the documents were discarded and who was responsible.

The documents were reports on a sample of 2,859 patient census reports and date between 2009 and 2010.  Affected patients have now been notified of the privacy breach by mail and the incident has been reported to all appropriate authorities.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The documents contained no medical records or Social Security numbers, only each patient’s name, admitting diagnosis, date of birth, physician’s name and account number. Due to the limited nature of data in the documents, Saint Thomas Rutherford hospital does not believe patients face any additional financial risk as a result of the breach.

Cynthia Figaro, Corporate Responsibility Officer and Corporate Privacy Officer of Saint Thomas Health issued a statement about the incident in which she confirmed, “Protecting the privacy of our patient’s information is always a top priority for us at Saint Thomas Health and Ascension,” and sincerely apologized to patients for the privacy violation.

The investigation confirmed that no further disclosures of patient information have occurred and a third-party firm has been contracted to ensure all storage files are appropriately secured until they can be permanently destroyed in accordance with Health Insurance Portability and Accountability Act Rules.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.