Share this article on:
A resident of Madison County, Richmond, Ky. recently discovered a dumpster full of medical records, with the boxes of paper files understood to contain highly sensitive Protected Health Information (PHI) covered under the Health Insurance Portability and Accountability Act (HIPAA).
According to a news report on WTVQ, Carl Swanger discovered the files on Saturday, May 31. After a quick inspection he “immediately he knew something wasn’t right,” and took the boxes to Baptist Health as he thought there must have been an error made. However the records did not belong to the healthcare provider, instead they were from a company called Richmond Radiology which closed for business many years previously.
The dumpster was located in AAA Rent-A-Space in Richmond, and contained 65 boxes of medical records. The files had been cleared out of the storage facility by the manager as he needed the space for a new customer.
The manager was unaware of the contents of the boxes as an employee was told to clear out the storage unit. According to the manager of the facility, that employee can’t have realized what the boxes contained or that HIPAA Rules were just about to be violated. The manager told the news station that the storage facility had been abandoned by the customer around July 2011.
Disposal of Protected Health Information under HIPAA Rules
45 CFR 164.530(c) of the HIPAA Privacy Rule requires all covered entities to implement the appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. If physical files are put in a dumpster, it is a violation of this rule and the above safeguards are clearly not present. The Privacy and Security Rule both apply to PHI until has been destroyed.
When medical records are no longer required, HIPAA regulations demand that any PHI is rendered “unreadable, indecipherable, and otherwise cannot be reconstructed.”
HIPAA guidelines do not dictate the method that must be used to achieve this purpose. That is left to the judgement of the covered entity. The Department of Health and Human Services’ Office for Civil Rights does suggest a number of ways that HIPAA Rules can be satisfied and privacy protected:
“For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.”
Since HIPAA Rules have been violated, the former owners of Richmond Radiology could face financial penalties from the Office for Civil Rights.
Baptist Health is in the process of trying to contact the former owners via a physician who worked at the facility in order to return the data to the right people to arrange secure disposal and send out breach notification letters to the individuals affected. Until such point, there is no way of telling if any of the boxes of medical records have gone missing.
Guidance on the Disposal of Protected Health Information can be found on the OCR website.