- Preventing potential health data breaches requires healthcare organizations to have the necessary physical, technical and administrative safeguards in place. If one area is lacking, or is simply overlooked, it does not matter how strong the other protections may be.
For example, the best firewalls and anti-virus software can only protect against certain technical attacks. But if an employee does not have the proper training, portable devices or paper documents could be left unattended. From there, sensitive information could fall into the wrong hands.
Two recent cases of improper disposal potentially exposed sensitive patient information, including old medical records. As these two situations show, even when organizations shut down or move locations, HIPAA safeguards must remain a top priority.
Indiana facility leaves medical records in dumpster
Yet another medical facility seemingly left sensitive patient records in a publicly accessible dumpster.
A restaurant employee discovered the medical records of approximately 170 individuals in a dumpster, and then reached out to The Times Media Co. to report the incident, according to an NWITimes.com report. The records were from My Fast Lab, a now-defunct Crown Point medical-testing business that offered a variety of health screenings for "70 percent less" than its competitors, the news source reported.
Information in the documents included patient names,addresses, phone numbers, blood types, and credit card numbers with expiration dates and security codes. Copies of Social Security cards, driver's licenses and health insurance cards were also included, along with written prescriptions for lab work, lab results and medical diagnoses.
"Someone's life is on that paper," said Adam Mitchell, who discovered the medical records. “"It could have fallen into the wrong hands."
The Times Media Co. contacted the Indiana Attorney General’s office and turned the medical records over to the facility.
Also known as a “draw station,” according to the news source, My Fast Lab would draw patients’ blood and samples would get sent to a large-scale laboratory. From there, the laboratory returns results to the patients’ physicians. The locations are often more convenient to patients, and the prices are typically lower than large health systems.
Under HIPAA, covered entities are not allowed to just abandon PHI or dispose of it in containers that are accessible by the public or other unauthorized persons. It is also important to note that the HIPAA Privacy Rule does not specify an amount of time that organizations need to keep PHI on hand. State laws could dictate how long medical information needs to be kept, otherwise HHS explains that “appropriate administrative, technical, and physical safeguards” are used to protect information as long as the data is maintained.
Closed Utah nursing home possibly left patient info. unattended
A nursing home in Sandy, Utah was recently shut down, but according to a local news report, individuals claim the facility was left open and abandoned, with sensitive patient information unsecured.
Deseret Health and Rehabilitation was closed because the owners ran out of money, reported Fox 13, but neighbors told police that people were removing items out of the building and became suspicious. The news source did not specify how many patients in total were potentially affected, or if any data breach notifications were going to be sent out.
Fox 13 stated that when it visited the property, boxes, files and trash were left inside the building, while, a small pile of patient records was found unattended on the sidewalk. The files showed two patients’ names and their evaluations by facility physicians, the news source reported.
While Fox 13 was unable to get hold of Deseret CEO Garrett Robertson, Utah Department of Health spokesman Tom Hudachko said that Robertson is cooperating.
“There is an administrative rule that requires these facilities when they close down to create a provision for the safe and secure keeping of those medical records,” Hudachko told Fox 13, “And they’ve got to keep them for seven years after each one of their clients is discharged.”
Hudachko added that Deseret Health has now hired security to monitor the property.