Indiana Attorney General’s Office Investigates Dumping of Medical Records
Earlier this week, an officer from the Indianapolis Metropolitan Police Department (IMPD) discovered a number of medical records in a public recycling dumpster in Broad Ripple Park, Indianapolis.
A number of confidential documents were found in file folders in the dumpster which had been mixed up with newspapers and other paper and cardboard.
IMPD recovered the files and folders from the recycling dumpster, although there is no way of telling whether any documents had been removed by members of the public. It is also unclear whether files had been dumped on a single occasion, or whether material had been disposed of over an extended period of time.
The Indiana Attorney General’s Office is now involved and efforts have been made to contact recycling and waste disposal companies who potentially may have come into contact with dumped medical records. If any further files and folders are recovered the attorney general’s office will arrange for the files to be collected and secured.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
According to the police report, the files contain highly sensitive data including patient names, addresses, health insurance information, and Social Security numbers. An investigation is being conducted to determine who the files belong to, and how they came to be dumped in Broad Ripple Park.
HIPAA requires all medical records to be disposed of securely when they are no longer required. Covered entities and their business associates must ensure that paper files are destroyed and rendered unusable, unreadable, and indecipherable. State laws in Indiana also require personally identifiable information to be disposed of securely.
Covered entities found to be guilty of improperly disposing of medical records face heavy fines and the Department of Health and Human Services’ Office for Civil Rights has previously taken action against HIPAA-covered entities that have been discovered to have improperly disposed of PHI. In June 2014, OCR reached a $800,000 settlement with Parkview Health System – which serves patients in Northern Indiana – after the company improperly disposed of medical records.
The Indiana attorney general can also take action against companies and individuals who fail to dispose of confidential information securely. Indiana is one of a handful of states that has previously exercised the right to issue financial penalties for HIPAA violations. In early 2015, a fine of $12,000 was issued to former Kokomo dentist Joseph Beck for illegally dumping the files of approximately 7,000 patients.
The Attorney General’s office is investigating the breach and will issue updates on the incident when further information is uncovered. Indiana’s Disclosure of Security Breach law requires individuals to be notified of any breaches of personally identifiable information. Affected individuals will be notified of the breach in the coming weeks.
