Share this article on:
Medical records from a now defunct Ohio hospital have recently been discovered in a public dumpster. Hundreds of confidential medical records containing highly sensitive medical and personal information were found at a recycling center by a member of the public.
The documents contained patient names, dates of birth, Social Security numbers, and medical test results, some of which could potentially be used to discriminate against individuals. According to a recent report on WDTN news, the medical data contained in the documents included STD test orders, gynecological examination reports, and drug screening test results. The records related to patients who had received treatment in 2005 and 2006, although some older records were also discovered.
HIPAA Rules covering the disposal of Protected Health Information are clear. When PHI is no longer required, it must be permanently destroyed. Prior to disposal it must be rendered unreadable and indecipherable, and it must not be possible for the data to be reconstructed. HIPAA Rules are not so specific as to dictate the means by which material should be destroyed, but burning, pulping, or shredding of records would be appropriate.
The person who discovered the records contacted WDTN to alert the news station about the find, and reporters collected the files to determine who the rightful owner of the records was. Most of the documents appeared to have come from the Springfield Community Hospital. The hospital closed for business in 2011, with patients transferred to the new Springfield Regional Medical Center run by Community Mercy Health Partners.
Community Mercy Health Partners was formed in July, 2004, following the merger of two Springfield hospitals: Community Hospital and a facility run by Mercy Health Partners. The contents of Community Hospital were auctioned in April 2012, although it is unclear exactly where the medical records came from, or how they came to be dumped at the recycling center. An investigation into the incident has now been launched by Springfield Regional Medical Center, and the documents appear to have been kept by an old laboratory used by Community Hospital.
They have now been given to Springfield Regional Medical Center, which will be sending breach notification letters to all affected patients. The hospital has also confirmed that credit protection services will be offered to all affected patients.