Share this article on:
Boyd Hospital in Carrollton, Ill. has potentially violated the HIPAA Security Rule after it failed to remove medical records from an old property before it was sold.
A resident of Jerseyville, Edward Crone, purchased an old property – an ambulance shed in Main Street – from the county on March 19, after it had been sitting dormant on the market for over a year. The shed was being used by the hospital as an off-site storage facility.
The property was used to store office equipment such as desks, chairs and filing cabinets and it was also home to a number of boxes of medical records. A breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights – dated May, 21 – announcing that 8,300 records were in the boxes.
Boyd hospital had made the transition to Electronic Health Records some time ago, and the data on the paper files had been scanned into digital documents which were stored on the hospital network. The paper files appear to have been something of an issue, as they could not be disposed of and the hospital was apparently considering a new place to store them.
However, Crone maintains that the hospital was contacted about the contents of the shed and the county had informed the hospital that items needed to be moved prior to sale. Debbie Campbell, CEO of BOYD Hospital, said “the hospital was aware of the sale of the building, it was not informed there was a buyer or of the closing date. She said the hospital was aware there were records being stored in the building but said nothing was compromised.”
Accusations and Investigations
Crone maintains the county contacted the hospital, and both he and the realtor called on numerous occasions to advise them of the sale. He eventually assumed the goods were not wanted by the hospital, and even took steps to have the items removed and destroyed.
Crone said that Campbell then attempted to gain entry to the property without either himself or the realtor being present and discovered he had changed the locks. When the property was sold, the contents of the shed became the property of the owner, and given his offers for the items to be collected he felt that the contents – with the exception of the medical records – were his to do with as he wished. He did not permit Campbell to take any other items away.
There may have been a delay in collecting the records and slow action by the hospital, but the matter has certainly got hospital officials’ full attention now. Crone started selling the contents of the shed online but it would appear that the matter was reported to the website administrators and his account was terminated for “selling stolen goods.” The matter was also brought to the attention of law enforcement officers.
Legally the contents of the property were his to sell and no action was taken by the police. In the process, Crone believes his reputation has been damaged and he has sent a letter to the Boyd Hospital board of trustees demanding a public apology for the damage caused to his reputation. At the time of writing, he has not received a response.
Potential HIPAA Violation
Under the HIPAA Security Rule, covered entities must ensure paper records containing PHI are stored securely and when no longer required, are securely disposed of and rendered unreadable and indecipherable. It was not the hospitals intention – it appears to be a case of poor communication – but technically the hospital sold the medical records with the property once the sale was finalized.
The records are now secure and do not appear to have been compromised so no risk of PHI exposure is understood to exist. However, as far as Crone is concerned the matter will not be resolved until he receives an apology.
Post updated: 05.29.2015