Share this article on:
Northfield Hospital & Clinics has recently issued a HIPAA breach notification to approximately 1,800 of its patients after their Protected Health Information (PHI) was potentially exposed to unauthorized individuals over an eight day period in October this year. The security breach only affected a small percentage of Northfield patients and no medical information is believed to have been accessed, although the matter is being treated with the utmost seriousness.
The security breach occurred when a number of documents were disposed of in commercial dumpsters by mistake, rather than being destroyed as required by HIPAA data security and privacy rules. When Protected Health Information is no longer required it must be destroyed or rendered unusable, with the rules applying to paper records and all electronic data.
Paper records containing PHI and other confidential information must be shredded, incinerated or rendered unreadable to ensure that patient health information is not accidentally disclosed. In the case of Northfield Hospital & Clinics, the records included some credit card numbers; however the paper records contained a considerable amount of personally identifiable information together with Social Security numbers and dates of birth; exactly the information that many criminals hope to acquire for purposes of committing medical fraud.
Once the error was noticed, the hospital took rapid action to mitigate the damage and changed procedures to prevent similar mistakes from occurring in the future. Paper recycling bins are now no longer kept next to desks to reduce the risk of accidental disposal of confidential waste in commercial recycling bins and a number of other policies and procedures are being introduced to improve data security. The staff will receive training on the correct methods for disposing confidential waste, while the cleaning staff will be supervised until further notice. Secure confidential waste containers have also been installed in central areas and the disposal of their contents will be strictly controlled.
Steve Underdahl president of Northfield Hospital & Clinics issued an apology to patients stating that Northfield clinics are “learning from it [the incident] and are emerging with more secure protocols”. The probability of disclosure of PHI is very low, although “we always want to error [err] on the side of caution and do what we can to mitigate the impact of the incident,” he said.
Part of the mitigation plan involves setting up a dedicated 800 number for patients to call with any questions relating to the HIPAA breach and the 1,778 affected individuals are being offered free credit monitoring services for a period of 12 months.