Patient records discovered at dump – perfect example of hospital privacy dilemma
On August 13, 2010, the front page of The Boston Globe reported that four Massachusetts hospitals are investigating how the unshredded health records of thousands of patients ended up at a public dump. At least some of the records contain sensitive medical information and Social Security numbers. The situation highlights the difficulties that organizations – and healthcare organizations in particular – face in protecting confidential patient or other personal information when many different people have access to such information in the normal performance of their duties.
It is not unusual for patient records to be passed along a custodial chain that begins with the hospitals, goes through internal administration, physicians’ practices, insurance companies, medical billing firms and other outside service providers, and extends to document disposal companies. According to The Globe, the Massachusetts hospitals provided patient information to a physicians’ practice that provided pathology services. The pathologists then transferred at least some of the information to a medical billing company that had performed services to the pathology group for more than 20 years.
Hospital executives said that the former owner of the medical billing company told them that he had the records deposited at the dump. The Globe also reported that the medical billing firm had signed a contract requiring it to dispose of patient records in compliance with HIPAA — although the contract didn’t specify how compliance was to be achieved. As the agreement was signed in 2003, it wouldn’t have addressed requirements regarding “business associates” under the later-passed HITECH Act. Current laws at both the federal and state levels require the disposal of records containing personally identifiable information to render the information unreadable. The standard methods for complying with this requirement are shredding and incineration. The Globe quotes a lawyer, presumably with his tongue planted firmly in cheek, saying that dropping legible papers at the dump is not one of the methods for complying with the law. A spokesperson for the company that runs the dump stated that the dump was not designed to be an appropriately secure site for the disposal of private information. Now you also know that dumps have spokespeople. The Globe reported that the hospitals involved in this matter, when disposing of records internally (as opposed to records that are transferred to physicians’ practices or other service providers), place them in locked containers. Independent contractors then collect the containers and shred the documents either right at the hospitals or at the contractors’ own facilities.
Hospital officials are addressing the complicated legal issues involved. The dumped records apparently went back up to three years. The hospitals must search for every patient tested by the affected practice to determine who needs to be notified under federal and state law. One of the hospitals estimated that between 8,000-12,000 of its patients would need to be notified, while another of the hospitals put its number between 16,000 and 24,000 patients. The hospital officials said that they needed to determine who in the chain of custody – the hospitals, the physicians and/or medical billing company — or are legally responsible for notifying patients. Two of the hospitals involved said that they would notify patients themselves. The hospitals also said that they would notify the Massachusetts attorney general about the matter. It is certain that some or all of the affected organizations will incur very substantial costs in notifying individuals of the breach, providing call center and credit monitoring services, and especially in hiring specialists to perform forensic investigations of the extent of the breach.
David Harlow, an experienced health care lawyer and consultant, has noted in his HealthBlawg that each of the hospitals involved could face federal fines of up to $1.5M, as well as enforcement action by the Massachusetts Attorney General. You can read his piece, including his discussion of what the hospitals could have done to comply with HIPAA and avoid this kind of situation, at http://bit.ly/bW8uLT.
Important insurance coverage note: many policy forms might well not cover the liabilities faced in this situation. In addition, many insurance applications ask the insured whether it has taken steps to ensure that third-party service providers comply with legal requirements and the insured’s policies regarding the handling and disposal of personally identifiable information.
A quotation in the Globe article is an incisive explanation of the dilemma that many organizations face in safeguarding confidential personal information. According to Clark Fenn, the risk manager at one of the affected hospitals, “This is a perfect example of how complicated the security of confidential information is…There are many hands that touch things. All it takes is one slip in that process for information to be released.”