NBC New York I-Team found multiple boxes containing patient records in the trash outside of an Upper East side office building. The patient files were found on the curb outside the office of two gastroenterologists. The files included patient names, medical diagnoses, Social Security numbers, and colonoscopy photos. The careless discarding of patient files is a major HIPAA violation. The Health Insurance Portability and Accountability Act (HIPAA) established industry standards for the handling of protected health information (PHI), including rules for proper PHI disposal.
Dr. Warman, one of the doctors that had patient information exposed, told the I-Team that the doctors had recently relocated their office to another office down the hall. They had contracted a shredding company to dispose of patient files, however, there were several boxes of files waiting for disposal in the old office. Dr. Warman believes that their cleaning crew may have accidentally thrown out the patient files without permission from the doctors.
The doctors’ attorney stated that the doctors, “categorically deny disposing of any of their patients’ protected health information. They have policies and procedures in place regarding the safeguarding and/or disposal of their patients’ protected health information. The investigation thus far seems to indicate that the records were improperly taken and removed from a locked premises without our clients’ permission.” The doctors have since requested that the I-Team return their patient files so that they may dispose of them properly.
How to Avoid a HIPAA Violation with Proper Patient File Disposal
HIPAA violations can be costly, recently a fine of $100,000 was issued to a medical records maintenance company that left patient files in an unlocked vehicle. To avoid HIPAA violations, and subsequent fines, it is essential that patient files are disposed of properly.
The Department of Health and Human Services (HHS) has released guidance on the proper disposal of patient files. Approved disposal methods include:
- Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle.
- Maintaining PHI for disposal in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
- In justifiable cases, based on the size and the type of the covered entity, and the nature of the PHI, depositing PHI in locked dumpsters that are accessible only by authorized persons, such as appropriate refuse workers.
- For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
To avoid a HIPAA violation, covered entities must ensure that they, or the business associate they hire, dispose of patient files in accordance with HIPAA standards. While it may be permissible to dispose of patient files via public dumpster, the files must first be sufficiently destroyed, rendering them unreadable.