Share this article on:
Legal action has been taken by the Texas attorney general’s office against Alliance Health Management & Consulting Inc., for the improper disposal of Protected Health Information (PHI) of patients.
The home healthcare management company is no longer in business, having ceased trading in July 2009; however last year, documents containing the PHI of patients were discovered to have been discarded in a dumpster without first having been rendered indecipherable.
HIPAA Rules Covering the Disposal of Protected Health Information
The HIPAA Privacy Rule requires covered entities to implement physical safeguards to keep all forms of PHI secured at all times. When PHI is no longer required by a covered entity it must be disposed of securely (45 CFR 164.310(d)(2)(i) and (ii)). PHI must be destroyed, or rendered unreadable and indecipherable. It must not be possible for any element of PHI to be reconstructed.
The exact method that must be used to destroy records is not stipulated by HIPAA Rules, although for physical records the OCR recommends pulping, burning, shredding, or pulverizing. Medical records and other data covered under HIPAA Rules must not be disposed of in dumpsters or with regular trash, as the information could be found and viewed. It does not matter whether the covered entity is still in business or has ceased trading. A covered entity remains responsible for the records until such time that they are no longer required and can legally be disposed of.
Each state has different laws covering the length of time that medical records must be stored. In Texas, medical records must be kept for a period of at least 7 years following the last date of treatment. Since Alliance Health Management & Consulting Inc., ceased trading in July 2009, at least some of the records would have needed to be stored until July 2016.
State Seeks Civil Penalties for the Improper Disposal of PHI
On July 14, 2014, the medical records were discovered in a recycling dumpster. Since no effort had been made to render the data unreadable, HIPAA rules were breached. However, the lawsuit was filed for breaches of state laws covering identity theft prevention, and also for the company having engaged in “false, misleading, and deceptive acts and practices.” A civil penalty of up to $20,000 is being sought by the state for each violation. The lawsuit has been filed against Alliance Health Management & Consulting Inc., and its former director, Maria Olveda.
The data exposed were highly sensitive and included Social Security numbers, patient names, and dates of birth. The exact data sought by identity thieves. Had the records not been secured by the Northside Independent School District Police, the risk of patients suffering financial fraud would have been considerable. The data contained in the files also included highly sensitive medical data which could potentially have been used to discriminate against patients. Details of counselling sessions were contained in the files, including information provided by patients in confidence during those sessions. Information about drug abuse was also present in some patient files, in addition to personal medical histories.
The records were discovered in a recycling container by a member of the public who alerted the authorities. The files were collected by NSID police, before being transferred to the Texas branch of the HHS. All patient records are believed to have been recovered in time to prevent data being misused; however, that could easily have not been the case, hence the lawsuit.