by John W. Mitchell
, Senior Correspondent | June 03, 2015
The medical records of hundreds of patients — complete with social security numbers and credit card information — have turned up in boxes loaded into a storage facility's dumpster.
According to local news sources, Carl Swanger was visiting his unit at AAA Rent-A-Space in Richmond, Kentucky when he noticed the boxes, which had been emptied from a storage unit abandoned in July 2011. Swanger has been quoted as calling the discovery, "a gold mine for an identity thief."
It was determined the boxes belonged to Richmond Radiology, which ceased to operate nearly 15 years ago. Swanger took the records to nearby Baptist Health hospital.
“We’re doing what we can to help,” hospital spokeswoman Jill Williams told DOTmed News. “The records aren’t ours, but we take our responsibility seriously to protect medical information for all patients, not just our own.”
Williams said the hospital is storing the records in a secure location. They have been in contact with a representative of the former radiology group, which is scheduled to pick-up the records by the end of the week. The reason payments lapsed on the storage space are unclear.
The incident is likely to attract regulatory interest at the highest level, Michelle Foster Earle, president of the risk management firm OmniSure Consulting Group told DOTmed News.
“Because of the news coverage and other circumstances, the Department of Health and Human Services Office of Civil Rights (OCR) is likely to investigate. OCR has made it clear that it is a health care provider's duty to protect sensitive health information [through] proper protection and disposal of paper records,” she said.
“Recently OCR fined Cornell Prescription Pharmacy $125,000 and required them to adopt a corrective plan related to maintaining and disposing of paper records. Last year, Parkview Health System agreed to pay $800,000 in fines for alleged violations relating to the improper handling of records from closed physician practices," continued Earle.
According to OmniSure's attorney advisor, Cynthia Stamer, the radiology principals could also be looking at investigation under Kentucky HIPAA-style laws.
“In breaches affecting more than 500 patients, the event must be reported under HIPAA’s breach rules to the media, as well as to the OCR,” said Stamer.
Both Stamer and Earle stressed that closing a health care practice does not end the responsibility of doctors for protecting confidential patient records. HIPAA requires that records be kept for six years before being destroyed.
“Providers closing a practice or business should seek counsel to make sure they have properly met HIPAA and other regulations, to avoid an unfortunate surprise like this,” said Earle.