Illegal Dumping of Medical Records Exposes PHI of Ohio Drug Rehab Clinic Patients

Illegal Dumping Medical Files Uncovered


Another case of illegal dumping of medical records has been reported, this time involving a Utah drug and rehabilitation clinic, Positive Adjustments. The company went out of business approximately 6 months ago; however medical records were discovered in a dumpster outside the abandoned clinic – at 4548 South Atherton, Taylorsville, by a contractor employed by Dr. Scott Cold, DDS on Friday last week.

Dr. Cold confirmed to Fox News that the files contained complete patient records, including patient names, contact information, Social Security numbers and treatment data, in addition to confidential court documents.

Medical Records Dumped in Public View


When Dr. Cold’s contractor turned up for work on Friday, August 7, the medical records were noticed in the physician’s dumpster, which was open, with the files in clear view of anyone passing close by. The matter was brought to the attention of Dr. Cold who was aware of HIPAA Rules covering Protected Health Information (PHI), and notified law enforcement; however, the records could just as easily have been found by a dumpster diver or an unscrupulous member of the public.

Any dumping of medical records violates the privacy of patients, although what is particularly worrying in this case is the nature of the data that was potentially compromised. Confidential information about drug abuse and addiction was included in the files. The disclosure of such data has considerable potential to cause patients to come to harm.

The state arranged for the records to be collected and secured, but they have only been moved back into the building from where they were taken and dumped. It is not clear if the owners of Positive Adjustments have been contacted and are aware of the incident.

Highly Confidential Information Exposed


Fox News managed to contact a former patient of the facility and alerted her to the exposure of her private and confidential records. She told the Fox reporter she had “trusted the drug and alcohol rehab center during a dark time in her life,” and went on to say she was “angered and scared for my future potentially having my information out there like that.”

Her records included information she provided to the clinic – in confidence – as part of her treatment program. She said, “I had to write things about my depression, things that, you know, are embarrassing to some, me I’m kind of out in the open anyway, but, still: That could be taken into the wrong hands and that scares me to death.”

Dr. Cold reported the security breach to law enforcement which subsequently notified the Utah State Department of Occupational and Professional Licensing. Dr. Cold was informed that the matter could be pursued by law enforcement on the grounds of illegal dumping of medical records, and the Department of Health and Human Services’ Office for Civil Rights can issue financial penalties HIPAA breaches. Action could therefore be take action against the owners of the former clinic.

PHI must be Permanently Destroyed when no Longer Required


The responsibility to protect patient privacy does not end when a healthcare provider goes out of business. Under HIPAA Rules, covered entities are required to permanently destroy all data when it is no longer required; however, data must be kept for a period of six years under federal laws. Should a holder of PHI go out of business before that 6 year period has expired, they must store the records securely and arrange for their permanent destruction at the appropriate time.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.