- PHI security is an essential aspect of healthcare data privacy for covered entities of all sizes. Each facility is different and will therefore benefit from different security measures. However, ensuring that PHI does not fall into the wrong hands or become exposed must remain a top priority. When healthcare organizations move from one location to another, this aspect cannot be overlooked.
An Illinois facility is currently under scrutiny after it reportedly left thousands of paper medical records in a building after it moved to a new one. The property’s new owner reportedly issued several warnings over the course of a year that a sale was taking place, and that the provider needed to grab the documents. However, that never happened.
Boyd Hospital used to manage the building in question, using the facility as a clinic, and also as an ambulance shed and a storage area, according to a report in The Journal Courier. Edward Crone bought the property, and told the news source that he and his realtor became aware of the documents during a final inspection before closing.
“The county informed them a year ago and they neglected to move the items,” Crone said, adding that he reached out to county officials to see how to proceed and if the sale should be postponed. However, they wanted to continue with the sale, according to Crone.
Boyd Hospital CEO Debbie Campbell had a slightly different story, and told the news source that the hospital was aware of a sale but did not know that there was a buyer or a closing date. She added that Boyd was aware of the records being stored in the building and that nothing was compromised.
When Campbell did pick up the records, she allegedly also tried to take items such as desks and chairs from the building, Crone said. However, he refused to let her take them as he said his agreement explained that after the sale, everything in the building was his property. But when it came to the medical records, Crone stated that they were important and should be returned to the hospital.
The Courier did not state what information was included in the medical records left at the property, just that they were over 20 years old. According to Campbell, they had been scanned into a computer system and the hospital was trying to determine what to do with the original copies.
But what exactly is the proper way to dispose of medical records, particularly ones that contain PHI?
The Department of Health and Human Services (HHS) published a frequently asked questions paper about the proper way to dispose of PHI. Essentially, it is unacceptable to simply dump PHI - whether in paper or electronic form - in a dumpster or containers that are easily accessible. However, a specific disposal method is not outlined in the HIPAA Privacy or Security Rules.
“Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps,” according to HHS. “In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed.”
It is also important to note that the HIPAA Privacy Rule does not have medical record retention requirements. However, state laws could potentially dictate how long medical records need to be kept on file. Even so, covered entities must ensure that they have implemented the necessary administrative, physical, and technical safeguards to keep PHI secure for however long the information is maintained.