Medical records blowing in the wind...
February 13, 2009 6:42 AM   Subscribe

Unshredded medical records literally hit me in the face. Should I do something about this?

I was walking down the street today when I noticed the wind had picked up a serious stack of papers, creating what looked like a paper tornado. Some of the papers blew past me and plastered themselves against the chain link fence I was walking by and I noticed that the papers seemed to be printouts of some sort.

I peeled one off the fence and examined it. It seems to be results from an ultrasound, with the patients name, age, referring MD, calculated age of fetus, and comments like "Uterus Empty" or "Right ovarian corpus lutem cyst".

I was able to collect 7 of these printouts without even trying (they were stuck to the chain link fence). All from different patients from the years 2003-2006. Most of the printouts had blown over the fence into a school yard.

There is no text on the printouts identifying the organization that produced them, but I am sure with the patient name and the referring MDs name it wouldn't be that hard to find out. In addition, some of the printouts have hand written comments that are initialed by someone.

These documents strike me as something that, at the very least, should have been shredded. Is this negligence? Should I stick my nose in this, or just tear up the papers I have and forget the whole business?

This is in New York City.
posted by anonymous to Law & Government (11 answers total)
 
There is no text on the printouts identifying the organization that produced them, but I am sure with the patient name and the referring MDs name it wouldn't be that hard to find out.

These same privacy laws would make it hard to find out.
posted by smackfu at 6:55 AM on February 13, 2009


I don't think tearing up all the papers would be a good idea. What if those are the originals or needed for a lawsuit or something? I think perhaps you shouldn't get involved to the point that you are contacting the clients, but a good idea might be to turn them over to a cop. You could then post a message on the nearest tree saying where you took the documents if you wanted.

Good job you for noticing that.
posted by big open mouth at 6:59 AM on February 13, 2009


You really need to find out where these originated and contact the institution. Many large hospitals have privacy officers who are responsible exactly for this kind of thing, and want to know ASAP if documents have been improperly disposed of.

I can't stress enough how important it is (to the organization, and especially to those patients) to find out the source of the leak is and notify someone.

Was there a recycling plant nearby? It's possible the papers didn't come directly from a clinic/hospital, but were improperly handled upon disposal. Please take the time to figure out, based on the MD names, what the originating organization likely is, and give them a phone call. If they have half a brain, they will take this very seriously.
posted by peggynature at 7:56 AM on February 13, 2009 [1 favorite]


Contact some of these blogs: phiprivacy (admin[at]phiprivacy.net), the breach blog (still active though not daily - evan[at]frsecure.com). There are additional, related blogs in the breach blog's recent going away post.
posted by cashman at 7:56 AM on February 13, 2009


Yes, that is most likely a HIPAA violation - name and DOB is considered enough to identify an individual, which means anything with those on there is enough to shred. Unfortunately, the referring MD is not the one who probably left the papers out. I'd bundle the stack and contact the referring MD - that's the only name you have, so I'd send it there. Of course, if you're close to a medical center (in NYC that's awfully likely), you might want to just get in touch with their Health Information/Medical Records dept and say you found them nearby.

Yeah, it's a legal thing, but I can't imagine the cops here in New Haven, for instance, giving a flying crap about it. At most they'd shred them themselves and send out a memo to the local health providers reminding them not to dump sensitive information.
posted by cobaltnine at 7:57 AM on February 13, 2009


Just for context, here's a similar incident that occurred a few years ago in Toronto, with medical records that were used as props for a movie shoot.
posted by peggynature at 8:06 AM on February 13, 2009


We've had numerous cases in the local news of medical records found in dumpsters, in trashed boxes behind buildings, etc, etc. Here's a recent one. In this particular case, the records identified the provider, and the TV station attempted to track them down. This is in Texas, where "...the attorney general's office said they are obviously interested in and have prosecuted cases like these. Companies have a legal obligation to shred sensitive material properly."

If my records were blowing around on the street, I'd hope someone would be held responsible for it. I'd also hope the responsible parties would help pay for identity theft protection and credit monitoring. If you feel the same, perhaps you could contact your state attorney general office, or maybe the city attorney, or a local TV station "helpline/investigation" reporter like this person did.
posted by Robert Angelo at 8:14 AM on February 13, 2009


It's probably a HIPAA violation, but possibly not. If the papers were appropriately released, the covered entity (health care provider, plan or clearinghouse) cannot take responsibility to protect them.

I'd contact the Office for Civil Rights Regional office (OCR handles HIPAA issues). They'll investigate it. With the large number of covered entities in your vicinity, you'd need to be super lucky to find the right one.

Region II - New York (New Jersey, New York, Puerto Rico, Virgin Islands)
Michael Carter, Regional Manager
Office for Civil Rights
U.S. Department of Health and Human Services
Jacob Javits Federal Building
26 Federal Plaza - Suite 3312
New York, NY 10278
Voice Phone (212)264-3313
FAX (212)264-3039
TDD (212)264-2355

or the email OCRPrivacy@hhs.gov
posted by 26.2 at 8:25 AM on February 13, 2009


this is the kind of thing local news stations love to send their "troubleshooter" team out on. you know, the ones who confront sketchy auto mechanics and absentee slumlords. Might want to contact one of them.
posted by missjenny at 10:36 AM on February 13, 2009


As long as the medical information cannot be tied to a particular patient, there is no breach of trust. Thus, the deepest medical secrets of your life are available to researchers, so long as your particular information (Name, DOB, SSN, etc. Not your gender, ethnicity, or age) is redacted or otherwise obfuscated.

If you could pull it off the fence and trace the information back to a live human, then there's been a HIPPA violation. Whether the violation was from the Doctor's office or a recycling company, it does not matter.

In addition, I was about to caution against too much invective as I've seen a case where records were brought to a facility from a concerned citizen, only to find that the patient himself was negligent and just left a stack of papers from his medical record in a food court. Then I saw that you had found records from several different patients. This is gross negligence, and should be brought to the attention of the proper authorities.
posted by eclectist at 12:06 PM on February 13, 2009


especially because it appears to be about reproductive health and therefore could potentially involve direly private info like abortion/paternity/ fertility... definitely contact media...
posted by Maias at 4:30 PM on February 13, 2009


« Older Down Time for Knee Surgery?   |   Slay the zombie, save the world Newer »
This thread is closed to new comments.


Tags

Share