Austin’s KEYE-TV had an interesting feature tonight on medical records privacy. They discovered hundreds of medical records just dumped at the Round Rock, Texas Recycling Center. Medical information, prescription data, insurance cards, signatures, social security numbers. Texas requires medical records must be kept at least seven years. HIPAA says dumpster disposal is fine – as long as the records are unreadable. But even a doctor’s medical billing records – disposed by a third-party – showed up at the recycling center. Luckily, the person who discovered the huge stash didn’t try to recycle any of the information he discovered.
New Rules Make Medical Records Privacy More Expensive to Lose
The AMA’s amednews expects new federal medical records privacy rules to significantly impact the way doctors run their medical practices. Notices will replace at least some of those interior body organ charts in doctors offices. The biggest impact will be the serious fines practices may face after a security breach.
Shredding companies, electronic storage providers, practice consultants – all could now be liable. In the article HIPAA gets tougher on physicians, senior policy adviser Robert Tennant (MGMA-ACMPE) provides the following example:
…if someone paid to shred patient files instead throws the documents into a trash bin and causes a breach, the practice also is subject to enforcement violations caused by that business associate. . . there are significant potential fines associated with these violations, upwards of $1 million-plus for particularly egregious cases.
Overstuffed Letters and Indecent Proposals
Business associates and service providers are responsible for a lot of leaked personal data. Federal law requires that the Department of Health and Human Services post major medical records privacy breaches on their web site. If a privacy breach affects more than 500 people, its included in their data breach list. The list includes:
An equipment operator at the state’s postal facility set the machine to insert four (4) pages per envelope instead of one (1) page per envelope, which caused the PHI of four individuals to be sent to one address per envelope. The error affected approximately 1770 enrollees. The letters contained information such as names, addresses, birth dates, and social security numbers.
Pinnacle Health Systems was notified that a business associate, a medical transcription service, had a server compromised in which reports of Pinnacle patients could be viewed online. The server compromise involved the protected health information of 1085 individuals. The protected health information involved in the breach included names, Medicaid ID numbers, dates of birth, and primary physicians.
A business associate prepared a document as part of a request for proposal for the covered entity’s vision benefit program which mistakenly included protected health information of 22,642 individuals. The document was posted online for five days. The protected health information involved in the breach included social security numbers, dates of birth, gender, zip codes, and vision plan enrollment information.
A file server at the Office of Health Services was compromised and impermissibly accessed. The compromise potentially exposed the prescription records of 27,000 individuals to an unauthorized source. The protected health information involved in the breach included names, addresses diagnostic codes, name of medication prescribed, medication costs and some social security numbers.
Dumpster Diving and Medical Records Privacy
WHNT News 19 also recently discovered a dumpster full of out-of-state medical records from a Alabama doctor who claimed to have hired a shredding service. After relocating from Virginia with the records. And that is just one single incident involving one physician. A recent post in the The Huffington Post Tech Blog discussing medical records privacy points out:
While we tend to worry about web companies like Google, Facebook, and, more recently, Instagram, sharing or tracking our private lives, the real threat to our privacy and identity comes from the shadowy world of electronic medical record storage.
A new study by the Ponemon Institute found that a whopping 94 percent of polled healthcare organizations have suffered ‘data breaches’ that exposed patient records. That’s a 65 percent increase since 2010-2011. Even worse, 45 percent of organizations reported they had more than five significant data breaches in the past two years. Less than half of these hospitals and clinics are confident they can prevent future data breaches or even know they took place.
The lessons for all of this? If they want to make a copy of your driver’s license, or entire social security number the next time your fighting the flu ~ push back. If they don’t need the information to treat you, don’t give it. If they can take the time to cut the subscription labels from the waiting room magazines, they can take your medical records privacy needs seriously as well.
Photo by Kurhan
Print 
PDF
02/05/2013, 05:02 pm
Actually, Texas law is even more strict. HIPAA always allowed more restrictive state laws to preempt the national standards. The Texas Medical Records Privacy Act requires employee training on medical records privacy for all covered entities. A Texas covered entity has to get your permission to use your personal health information for marketing purposes ~ the national standard does not. More information on Texas privacy rules are at https://www.oag.state.tx.us/consumer/hipaa.shtml