Patient Health Records Discovered in a Denver Alley

Approximately 70 patient files containing sensitive personal and medical information have been discovered in an alley in Denver, CO.

The files contained details of patients’ medical histories, insurance information, and Social Security numbers – The types of information sought by identity thieves and fraudsters. The paperwork had been disposed of in a dumpster accessible by the public.

The records came from the Blue Skies Clinic in Boulder, CO., which was purchased more than a decade ago from chiropractor Otsie Stowell, according to Fox31, Denver. Two chiropractors took control of the records of approximately 800-1000 patients when they bought the practice.

Some of those records were stored in the basement of the practice, which was recently cleared. It is unclear how many records were disposed in the alley, although only 70 files were recovered.

The records were disposed of by mistake and no one at the clinic was aware that sensitive information was being stored in the basement, according to a statement provided to FOX31 by one of the chiropractors, Rory Lee. Lee also apologized for the mistake and said the clinic will be doing all it can to rectify the mistake.

HIPAA Rules require physical records containing PHI to be disposed of securely when they are no longer required. While HIPAA Rules do not specify the method that must be used to dispose of medical information, whatever method chosen must ensure the information is “unreadable, indecipherable, and otherwise cannot be reconstructed.” For physical records, HIPAA recommends “shredding, burning, pulping, or pulverizing” prior to disposal.

Similar rules apply to the disposal of electronic protected health information. HIPAA suggests clearing, purging, degaussing, exposing media to strong magnetic fields, or destroying electronic media by disintegration, pulverization, melting, incinerating, or shredding.

When a business is closing or about to be sold, OCR suggests covered entities should consider contacting patients and offering them the opportunity to collect their medical records. If medical records are handed over to the new owners of the business, they become their responsibility and must be safeguarded in accordance with the requirements of the HIPAA Security Rule.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.