Today the Boston Globe reported the dumping of thousands of sensitive medical records at a local garbage transfer station:
It seems an obvious breech of HIPAA patient privacy rights, among other things. Apparently, the records were in the hands of a billing company that helped with collections for numerous hospitals. When the billing company was sold, the new owners only wanted records from 2010 onward, so the previous owners dumped the older files. Will the previous owner face charges? Not known yet, but he will definitely face an investigation.
Lesson Learned: Those hospitals are red-faced and could face lawsuits. They will have to go back through years worth of records and let former patients know about the potential exposure of their social security numbers, medical information, and treatment records. What a paperwork nightmare! One hospital official even admitted to being uncertain whether the billing company ever signed a privacy clause to their service contract.
What to do: Do you handle confidential information from customers or clients? Be sure to set up proper security policies. Do you outsource any confidential information (for HR, IT, Billing, etc.), then you MUST make sure that the contractor understands and agrees to your requirements for confidentiality, security, and data disposal.
Further Help: See the Department and Health and Human Services website for more information: