In June 2017, an Illinois mom found two medical records in her middle schooler’s belongings.
This mom discovered that some of her daughter’s peers had stolen nursing home records from an abandoned nursing home, and passed them around at school. The records included medications, doctor’s notes, diagnoses, social security numbers, addresses and other protected health information.
How did this HIPAA nightmare happen?
The nursing home closed its doors permanently in 2013. So how did a group of junior high students get their hands on these medical records?
Eighteen months after the facility closed, someone noticed a water leak at the home and called the city. The city found the building unlocked, with sharps in view, and medical records inside.
The mayor obtained a court order to remove the biohazardous materials (sharps and medications). However, the city did not have any authority to remove the medical records it found inside.
A restoration company made spot checks on the building to board up windows and make other essential repairs. This company also lacked authority to remove any property (such as medical records).
And, because the facility was no longer licensed after 2013, the Department of Health did not have any authority over the building or the records inside.
Six weeks after the middle schoolers broke in, the records are still inside, unsecured – some are “scattered throughout the hallway.” Time will tell if the OCR intervenes to investigate the records situation as a potential HIPAA violation.
What does the OCR say?
The Office of Civil Rights (OCR), which enforces HIPAA, has published an FAQ addressing the disposal of PHI. The OCR states that: “… covered entities are not permitted to simply abandon PHI…”
The OCR proceeds to give guidance on the factors covered entities should consider when it is time to dispose of PHI:
"However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed."
Finally, the OCR gives an example of an appropriate disposal method for paper PHI:
"For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed."
The OCR is clear that HIPAA obligations do not cease until PHI is properly disposed. Address risks to PHI proactively by including disposal plans in your HIPAA Security Risk Analysis, so they will be easy to execute if and when the time comes.