It’s not often that a HIPAA incident also provides a history lesson, but there’s a first time for everything.
Recently, a St. Louis resident decided to visit the site of the St. Louis Army Ammunition Plant, also known as the St. Louis Ordnance Plant. Located in northwest St. Louis at Goodfellow and I-70, the plant employed thousands during WWII and produced 6.7 billion cartridges. Now, the site is mostly vacant – but still draws occasional interest from those interested in St. Louis’ role in WWII.
Instead of finding a slice of world history, the gentleman visiting the abandoned factory found a big surprise: dozens of patient records tumbling over the curb. He discovered medical records for 60 patients of a dialysis clinic – including patient names, Social Security numbers, addresses, lab reports, and medical histories.
“Flabbergasted,” the man who stumbled upon the records called the news. (People who find medical records in strange places often call the news). It was a big local news story.
It is unclear whether the records were dumped at the former artillery plant by the dialysis provider, or by a business associate responsible for storing the records. What is clear is the HIPAA problem: medical records should never ever ever be “dumped.” Or put in the trash. Or the recycling bin. They must be destroyed (i.e. shredded) so the PHI can never ever ever be read or recreated.
Who in your organization has access to paper records? Have you trained them on HIPAA’s destruction requirements?