25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Patient Health Records Discovered in a Denver Alley

Posted By on Sep 14, 2017

Approximately 70 patient files containing sensitive personal and medical information have been discovered in an alley in Denver, CO.

The files contained details of patients’ medical histories, insurance information, and Social Security numbers – The types of information sought by identity thieves and fraudsters. The paperwork had been disposed of in a dumpster accessible by the public.

The records came from the Blue Skies Clinic in Boulder, CO., which was purchased more than a decade ago from chiropractor Otsie Stowell, according to Fox31, Denver. Two chiropractors took control of the records of approximately 800-1000 patients when they bought the practice.

Some of those records were stored in the basement of the practice, which was recently cleared. It is unclear how many records were disposed in the alley, although only 70 files were recovered.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The records were disposed of by mistake and no one at the clinic was aware that sensitive information was being stored in the basement, according to a statement provided to FOX31 by one of the chiropractors, Rory Lee. Lee also apologized for the mistake and said the clinic will be doing all it can to rectify the mistake.

HIPAA Rules require physical records containing PHI to be disposed of securely when they are no longer required. While HIPAA Rules do not specify the method that must be used to dispose of medical information, whatever method chosen must ensure the information is “unreadable, indecipherable, and otherwise cannot be reconstructed.” For physical records, HIPAA recommends “shredding, burning, pulping, or pulverizing” prior to disposal.

Similar rules apply to the disposal of electronic protected health information. HIPAA suggests clearing, purging, degaussing, exposing media to strong magnetic fields, or destroying electronic media by disintegration, pulverization, melting, incinerating, or shredding.

When a business is closing or about to be sold, OCR suggests covered entities should consider contacting patients and offering them the opportunity to collect their medical records. If medical records are handed over to the new owners of the business, they become their responsibility and must be safeguarded in accordance with the requirements of the HIPAA Security Rule.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist