Boxes of PHI Left Unprotected at Former Children’s Psychiatric Facility

In Farmingdale, NJ, a former children’s psychiatric facility that was closed after an investigation into the mistreatment of patients, appears to now be mistreating patients’ records as well, in breach of HIPAA regulations.

The Arthur Brisbane Child Treatment Center has been closed for 10 years, yet medical records were still being stored in the facility. The center was closed, shuttered, and locked, and the records were protected from prying eyes; however, during the past month the door to the facility was found open on numerous occasions. The property could have been entered by any number of individuals during this time, who would have been able to gain access to medical files containing highly sensitive information on particularly vulnerable individuals.

Any individual to discover the boxes of files would be able to easily locate information, as the boxes had been conveniently labeled. Some were marked “medical” and “payroll”, the former containing detailed medical information on employees/patients and the latter containing banking information of former employees of the treatment center. Many Social security numbers were detailed in the files, along with personally identifiable information covered under HIPAA. More than enough data was present to enable a criminal to commit identity theft and defraud former patients and employees.

It is not possible for medical records to be destroyed immediately if a medical facility is closed. Records need to be kept for a certain period of time according to state and federal regulations, which can be 7 years, 10 years or 20 years depending on the type of records. Many of the boxes of files were clearly meant to be securely destroyed, and were marked with dates when they should be disposed of. However, the boxes appeared to have been forgotten, with some earmarked for destruction in 2002. Others were not destined to be destroyed for another 30 years.

The center had been cleared of equipment, although the files remained. It is not clear if any of the information had been accessed by unauthorized individuals during the time that the facility was unsecured, but the files have now been removed by New Jersey’s Department of Children and Families.

Under HIPAA Regulations, the Protected Health Information of patients must be secured using physical safeguards, under 45 CFR 164.530(c), and must be stored in a locked facility to prevent unauthorized individuals from gaining access to the records. When no longer required, records must be permanently destroyed. The PHI of patients cannot simply be abandoned when no longer required. They must be burned, shredded, pulped or pulverized, to ensure that the records are “unreadable, indecipherable, and otherwise cannot be reconstructed.”

The records have now been secured and an investigation has been launched by the Department of Children and Families to determine how the files came to be stored in the facility, as well as how they were found, and whether any files appear to be missing.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.