Share this article on:
Holston Valley Medical Center, a Kingsport, Tenn. hospital run by the Wellmont Health System, has discovered that 1,726 patients’ medical records have been improperly disposed of, according to a report on WYMT Mountain News.
On March 1, 2015, the hospital was alerted to the presence of a number of documents containing Protected Health Information (PHI) in a recycling container in Steel Creek Park, Bristol. The documents contained notes on patients taken by a nurse and related to patients who had visited the Holston Valley Medical Center between 1998 and 2007.
It is not clear exactly what information was included on the patients, although a statement released by Wellmont’s Chief Compliance Officer, Nancy Merritt, confirmed “The notes were not part of any patients’ legal medical record and were never in a public area before they were placed in the recycling bin.”
Merrit went on to say, “Holston Valley and Wellmont did not authorize these notes, their retention or their disposal at Steele Creek.” The taking of notes was in violation of company policy and in an interview with the nurse in question when it was explained how corrective action would be necessary, the nurse resigned.
Breach letters have been sent to “as many of the individuals as possible.” Due to age of the data, many of the patients may no longer be alive or could have moved. Patients affected by the breach are being offered a year of free credit monitoring services, even though the likelihood of the data being used inappropriately is deemed to be low as it was never in public.
However, since the notes were being taken by the nurse for a period of 9 years and they have existed – unbeknown to HVMC – for 17 years in some cases, any number of people could potentially have seen them so breach victims are advised to exercise caution and sign up for credit monitoring services.
Following a security incident such as this it is essential that healthcare providers take action to manage risk and identify other potential security vulnerabilities. It is advisable to conduct a full risk assessment after any breach of PHI.
Further training must be provided to all physicians, nursing staff, and anyone required to come into contact with PHI as part of their daily duties. HIPAA Security and Privacy Rules should be explained along with the responsibilities of the staff, the organization and the repercussions for HIPAA violations.
Wellmont took this course of action and is taking a number of other steps to improve data security and ensure PHI is safeguarded. Any patient not receiving a breach notification letter who is concerned they may have been affected should contact the hospital.
What Does HIPAA Say About the Disposal of PHI?
Under HIPAA Rules, – §164.310 (d) (2) (i) – Disposal of the Security Rule – Covered Entities (CEs) must:
“Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”
While CEs are not obliged to use a particular method to render data unreadable and indecipherable, OCR guidance suggests:
For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.