By: Louise Lindsey, B.S., M.A., D.Div.
A recent article in the HIPAA Journal regarding the improper disposal of private health information (PHI) serves as a reminder to healthcare providers that protecting an individual’s PHI is multifaceted. Protecting private health information is about more than taking care about leaving messages on an answering machine, talking about a patient’s private health information in a public setting, or not storing such information on personal devices and computers. It’s about evaluating every aspect of where such information might be kept and making sure to dispose of it properly.
The cleaning crew member who emptied the trash for the Minneapolis Heart Institute at Abbott Northwestern Hospital was just doing what he always does with regular trash. He did not even stop to consider that the papers in the trash can required special handling – why would he? He’s there to clean up and empty trash cans. And, that is exactly what he did.
Like all compliance sensitive healthcare providing facilities, Minneapolis Heart Institute has policies and procedures in place that require all documents containing sensitive patient health information to be securely destroyed in accordance with HIPAA Rules. Unfortunately the trash container in a physician’s private office had documents that needed to be securely shredded before disposal.
The incident was discovered, but not in time for the documents to be recovered and securely destroyed. The documents had been emptied into a bin bag which was placed in a regular recycling dumpster at the hospital.
Now, the problem being faced is how many individuals have been impacted. Since that is unknown, the Minneapolis Heart Institute is notifying all patients who were part of the physician’s service group between April 17, 2016 and January 17, 2017. Those individuals have been offered credit monitoring and identity theft protection services without charge for a period of 12 months, even though the risk of any PHI being accessed by unauthorized individuals is believed to be very low.
The documents contained PHI including names, addresses, birth dates, medical record numbers, clinical data, and health insurance information. Some health insurers use Social Security numbers as health plan identifiers; therefore, some Social Security numbers may also have been on the documents.
This incident makes it clear that it takes more than policies and procedures alone to prevent breaches in protecting private health information, it takes constant vigilance and educating personnel at all levels about the importance of handling PHIs very carefully.
Should you find that you have had a breach in protecting the health information at your facility, you can find out more information at this web site:
https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html?language=es
