- Database owners are now required to ensure medical record security by safeguarding healthcare data stored in their systems, according to a recently updated Indiana bill.
Senate Bill 549 changed the definition of “abandoned” medical records to include electronic records, and not just paper records that have been improperly discarded or disposed. Additionally, the Indiana Attorney General can now recover the costs of protecting discarded healthcare records.
“[The bill] also applies current law concerning database security to a data base owner currently exempt from the law
Abandoned records had previously been considered records that were “voluntarily surrendered, relinquished, or disclaimed by the
In addition, abandoned records are considered ones that are “recklessly or negligently treated, such that an
Health records also include written, electronic, or printed information that a healthcare provider possessed or maintained
The bill went into effect on July 1. It also expands situations where the state attorney general may file actions, including the following:
- When health records are recklessly or negligently treated such that an unauthorized person could
obtain access or possession of the records
- When the AG incurs costs in completing its responsibilities under Indiana Code when health
records are abandoned
- When a database owner who maintains their own data security procedures under HIPAA fails to
implement and maintain reasonable data protection procedures or improperly disposes of or abandons data
SB 549 also states that there might be certain exceptions to data base owners that maintain their own
However, current or former healthcare
“A data base owner shall not dispose of
Indiana Senator Aaron Freeman co-authored the bill, and told The Indiana Lawyer that the law is mean to encourage medical professionals to have a plan in place to protect patient data.
“We need to button up people’s private information where we can, especially their private medical information,” Freeman explained to the news source. “When companies do go out of business, they need to make sure these records are secure.”
HIPAA regulations do have requirements in terms of proper disposal of patient health information.
There is not a particular disposal method required, but covered entities cannot “abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” according to an OCR FAQ.
“Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps,” OCR stated. “In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed.”
For example, OCR said shredding, burning, pulping, or pulverizing paper records could be acceptable forms of disposal. Furthermore, ePHI could be disposed of in the following manners:
- Clearing (using software or hardware products to overwrite media with non-sensitive data)
- Purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains)
- Destroying the media (disintegration, pulverization, melting, incinerating, or shredding)
Additionally, the HIPAA Privacy Rule does not require covered entities to keep patients’ medical records for any period of time. State laws tend to dictate how long medical records should be maintained, the agency explained.
“However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.”