Over 20 boxes containing thousands of medical records were found in a Texas dumpster. The improperly disposed of medical records containing records for thousands of patients of Today’s Vision. The records are from 1997 until 2013 and contained information such as payment and insurance related information, medical histories, and contact information.
The records were found in a dumpster in the town of Tomball. Today’s Vision was owned by Dr. Donald Glenz who sold the practice to MyEyeDr, an optometry corporation, 3 months before the dumping incident. Dr. Glenz still works part-time at the clinic during the transition.
In addition to patient information, the improperly disposed of medical records also contained employee files. These files were of former employees of the practice and contained scheduling information, immigration status, resumes, and Social Security numbers.
Today’s Vision has more than 50 optometry clinics throughout Texas. Each is independently owned and operated.
If you would like to read more on this incident, please head over to Click2Houston.
HHS is now investigating
The Department of Health and Human Services has stepped in to investigate the HIPAA violation. With the help of local police, HHS will determine how the records ended up in the dumpster and who is responsible.
Due to the number of patient records found, the fines could be enormous. Keep in mind that this wasn’t an accidental breach and it showed a lack of regard for patient privacy. HHS tends to take a very negative view on these sorts of breaches.
Optometrists are not often associated with HIPAA
When most people think about HIPAA privacy, they usually think about primary care physicians, specialists, and hospitals. However, HIPAA covers a much larger group of healthcare providers. These include optometrists, chiropractors (in many cases), pharmacies, and even dentists. Patients have a right to know that their medical data will be protected and kept private.
What is the proper way to dispose of medical records?
For paper medical records, the are several acceptable ways for disposal. These include shredding, pulping, burning, or pulverizing. The end result is that the records must be unreadable and cannot be reconstructed.
Often practices will hire outside services to perform this task for them. These companies will come onsite and destroy the records. If you employ such a service, make sure you obtain a Business Associate Agreement from them before starting. In addition, once done, make sure that they provide you with a certificate of destruction. For reputable document destruction companies, this will not be an issue.
Improperly disposed of medical records are fairly common. However, in this age where everyone has a camera phone, the likelihood of these going undiscovered is pretty small. Practices should take their HIPAA responsibilities seriously and properly dispose of all records.