HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Improper Disposal of PHI Discovered by Minneapolis Heart Institute

A member of a cleaning crew at the Minneapolis Heart Institute at Abbott Northwestern Hospital accidentally disposed of documents containing PHI with regular trash.

Minneapolis Heart Institute has policies and procedures in place that require all documents containing sensitive patient health information to be securely destroyed in accordance with HIPAA Rules. However, a member of the cleaning team was discovered to have emptied a trash container from a physician’s private office before documents could be securely shredded.

The incident was discovered on January 20, 2017, although not in time for the documents to be recovered and securely destroyed. The documents had been emptied into a bin bag which was placed in a regular recycling dumpster at the hospital.

It is unclear at this stage how many individuals have been impacted, although as a precaution, the Minneapolis Heart Institute is notifying all patients who were part of the physician’s service group between April 17, 2016 and January 17, 2017. Those individuals have been offered credit monitoring and identity theft protection services without charge for a period of 12 months, even though the risk of any PHI being accessed by unauthorized individuals is believed to be very low.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The documents contained PHI including names, addresses, birth dates, medical record numbers, clinical data, and health insurance information. Some health insurers use Social Security numbers as health plan identifiers; therefore, some Social Security numbers may also have been on the documents.

The incident shows that policies and procedures alone will not always prevent breaches of this nature from occurring. However, the action taken following the incident by Allina Health, which operates Abbott Northwestern Hospital, should prevent any further such incidents from occurring in the future.

Allina Health has removed all desk-side recycling bins and has replaced them with locked shredding bins. Now, all documents will be sent for shredding, irrespective of whether they contain sensitive data. An employee education program has also been conducted to advise employees of the need to shred all paperwork and Allina Health’s safeguards policy has also been reinforced, highlighting the importance of the correct disposal of documents.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.