Paper records containing patient data must be treated with the same care as other forms of records. When these paper charts are no longer needed, they must be disposed of properly, in a way that they cannot be viewed by another person. Dumping patient records in a trash bin don’t qualify as protecting patient records. Simply dumping patient records would result in many violations of HIPAA law. HIPAA has very specific guidelines on how these records must be destroyed when they are no longer needed.
In August 2017, boxes of records were found in a recycling bin of an Allentown, Pennsylvania recycling firm. A person utilizing the recycling center found the discarded data and reported it to a local news center.
The files were in a publicly accessible area and had not been shredded or destroyed.
The records were from an OBGYN office, Women’s Health Consultants, in South Whitehall Township, Pennsylvania.
A reporter from the Morning Call went to the recycling center and was able to find the records. She contacted one of the patients in the records. The patient hadn’t been a patient of the practice for more than four years.
Women’s Health Consultants is no longer in business. It is not clear if it was a result of this incident or other issues. The breach was reported to both the Pennsylvania Attorney General’s office and the Department of Health and Human Services.
Why is dumping patient records a problem?
All records must be destroyed when no longer needed according to HIPAA regulations. If records are not disposed of properly, then the breach can result in fines ranging from $100 to $50,000 per patient records, up to a maximum of $1,500,000.
Patient records contain a lot of sensitive information about patients that could be used for identity theft, insurance fraud, and other criminal acts.