Record of improper private medical information disclosure?
July 25, 2013 11:37 AM Subscribe
Would a U.S. health care service provider be required to publicly report the improper disposal and disclosure of health care records and other personal information?
A friend's health care service provider dumped numerous patient records, including medical information and social security numbers, in a dumpster behind one of their locations. Some of those records were discovered and taken by a third party, then eventually reported to the health care provider. The provider asked for the records to be returned, then subsequently said the issue had been "dealt with".
Was the health care provider legally required to report the incident?
If so, are these reports public record?
And how can we check to make sure that the company followed the law?
Long story short, my friend is freaking a bit and would like to know the details of the incident. We're assuming that the company just shredded these "found" documents and never reported it. We'd like to get to the bottom of it for peace of mind.
We're located in N.C. if that makes any difference. Also, the health care provider has since gone out of business, so we can't simply call the company and ask to talk to the privacy officer.
Throwaway email address.
A friend's health care service provider dumped numerous patient records, including medical information and social security numbers, in a dumpster behind one of their locations. Some of those records were discovered and taken by a third party, then eventually reported to the health care provider. The provider asked for the records to be returned, then subsequently said the issue had been "dealt with".
Was the health care provider legally required to report the incident?
If so, are these reports public record?
And how can we check to make sure that the company followed the law?
Long story short, my friend is freaking a bit and would like to know the details of the incident. We're assuming that the company just shredded these "found" documents and never reported it. We'd like to get to the bottom of it for peace of mind.
We're located in N.C. if that makes any difference. Also, the health care provider has since gone out of business, so we can't simply call the company and ask to talk to the privacy officer.
Throwaway email address.
Well, because of HIPAA here are the requirements for correctly retaining and disposing of medical records.
So what they did was totally ILLEGAL.
I'm not sure how you'd get confirmation that the records were ultimately disposed of correctly, but call HHS to see if they might have information.
posted by Ruthless Bunny at 11:50 AM on July 25, 2013
So what they did was totally ILLEGAL.
I'm not sure how you'd get confirmation that the records were ultimately disposed of correctly, but call HHS to see if they might have information.
posted by Ruthless Bunny at 11:50 AM on July 25, 2013
Disposing of identifiable records in the manner you describe is illegal under Federal law. Failure to disclose the privacy breach to affected parties is also illegal. Dept. of Health and Human Services has leveled fines on companies that break privacy laws of anywhere from a few thousand to millions of dollars. If your friend hasn't been notified as HHS requires with information explaining how to protect themselves and what is being done to mitigate harm they can file a complaint with OCR (relevant agency under HHS).
From TPS's link above, this is what covered entities under HIPAA must disclose about a breach of privacy:
From TPS's link above, this is what covered entities under HIPAA must disclose about a breach of privacy:
These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity. Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.posted by Wretch729 at 12:20 PM on July 25, 2013
I missed the line about the provider being bankrupt. That's a bummer, because there may not be much blood left to squeeze from that stone.
Your friend can take steps personally to protect him/herself from identify theft like putting a fraud alert on their name with the credit rating agencies. Mefite Verdandi has given good advice about this in the past, and there are tons of other threads on ID theft I can't remember off the top of my head.
posted by Wretch729 at 12:30 PM on July 25, 2013
Your friend can take steps personally to protect him/herself from identify theft like putting a fraud alert on their name with the credit rating agencies. Mefite Verdandi has given good advice about this in the past, and there are tons of other threads on ID theft I can't remember off the top of my head.
posted by Wretch729 at 12:30 PM on July 25, 2013
This thread is closed to new comments.
posted by ThePinkSuperhero at 11:47 AM on July 25, 2013