A potential HIPAA violation occurred after patient records at a Tennessee hospice wound up on the side of a highway.
- A hospice employee’s failure to properly shed patient records is being blamed as the culprit in a potential HIPAA violation in Tennessee.
Sandra Rambo and her daughter told local news station WJHL that they found medical records on the side of a highway earlier this week. According to the duo, 23 Amedisys hospice records were discovered, which listed medical conditions, personal information, patient identification numbers and “other private patient details regarding hospice visits.” The records dated back to 2010 and reportedly contained information on 17 different patients.
An Amedisys spokesperson claimed that a former employee potentially failed to shred the paperwork, according to the news source.
US Department of Health and Human Services spokeswoman Rachel Seeger explained to WJHL that the most common scenario to resolve a HIPAA violation is work with the organization in terms of corrective action and technical assistance.
“There have been a small number of cases that have resulted in a resolution agreement, which is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years,” Seeger said. “During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes.”
However, Rambo was not reassured, especially since one of the records she found allegedly belonged to the deceased husband of one of her neighbors.
“HIPAA laws are supposed to prevent this,” Rambo told WJHL. “They’re supposed to prevent this from getting in the public’s grasp.”
According to an Amedisys spokesperson, the facility collected all documents from Rambo and is investigating the situation to ensure that no other records are inadvertently exposed.
“Amedisys began utilizing encrypted, password protected electronic medical files to ensure our patient’s privacy in 2012,” the spokesperson said. “We also have strict policies regarding patient records and the proper procedures in retaining and storing this information.”
Amedisys’ current policy requires its employees to shred any paper documents after a patient’s episode of care is completed, the statement explained. Moreover, it does not appear that this former employee followed our normal protocols.
The hospice added that it is offering credit monitoring service to patients who might be affected and is providing staff members with additional HIPAA training to mitigate any future issues.
Unfortunately, human error is a somewhat common scenario when it comes to causes of healthcare data breaches. Either former employees continue to have access to sensitive materials, or current employees are unclear as to how to dispose of certain items properly.
Earlier this month, a Minnesota health system had to notify approximately 2,000 patients that their PHI was potentially exposed after documents were mistakenly sent to commercial dumpsters. The documents may have included patient names, account numbers, dates of birth, home addresses, types of treatment, insurance information and medical information.