300,000 Records Found at Hospital Slated for DemolitionDocuments Discovered Four Years After Hospital Moved to New Facilities
Documents containing information on more than 300,000 patients were recently discovered on the former campus of a Missouri hospital that's being prepared for demolition four years after the hospital moved to new facilities. The incident illustrates the need to track all paper records that contain protected health information.
In statement posted on its website, SSM Health St. Mary's Hospital in Jefferson City, Mo., says that on June 1, it was notified that "documents and other materials containing patient information were discovered in isolated locations at the former hospital campus."
The hospital says it has confirmed that all formal medical records were "safely and securely transferred" prior to the move to the new facility on Nov. 16, 2014. The paper documents left behind at the old facility included administrative and operational documents for various departments, the hospital notes.
"The documents included demographic, financial, and/or clinical data, but in most instances involved very limited information such as name or medical record number alone," according to the hospital's statement. A comprehensive review of the recovered information is underway, and the hospital has also retained a document services firm to assist in cataloging all recovered documents."
SSM Health notes that although security safeguards and deterrents were in place to protect the shuttered facility, "the investigation has confirmed that the safeguards were not adequate to ensure the security of the patient information and other materials with absolute confidence between the date of the move until the date that the hospital was notified on June 1."
The organization also notes that while it believes that the incident "does not represent a significant risk to patients, it does constitute a privacy breach under HIPAA."
A SSM Health spokeswoman tells Information Security Media Group: "The documents were found in more than one location after a member of the community brought it to our attention. The old SSM Health St. Mary's campus was vacated in November 2014."
She adds: "SSM Health St. Mary's Hospital is in the process of reviewing and revising its policies and procedures regarding proper record storage, retention and destruction, as necessary. We are working with affected individuals and offering ID protection when appropriate."
SSM Health is a Catholic, not-for-profit integrated health system with more than 40,000 employees and 10,000 providers, according to its website.
One of Largest 2018 Breaches
The SSM Health incident is listed on the Department of Health and Human Services' HIPAA Breach Reporting Tool website as an improper disposal breach impacting 301,000 individuals.
The incident is the fourth largest breach posted so far this year on the HHS breach tally website. The site, also known as the "wall of shame," lists breaches impacting 500 or more individuals since September 2009.
Some similar improper disposal incidents have resulted in enforcement actions by federal regulators.
For instance, in February, the HHS Office for Civil Rights, which enforces HIPAA, entered a $100,000 settlement with Filefax, a now-defunct medical records storage company at the center of a 2015 "dumpster diver" breach affecting more than 2,000 patients.
In that case, patient records were found in an unlocked vehicle in Filefax's parking lot, and hundreds of pounds of paper medical records that should have been shredded or destroyed before disposal were discovered unprotected in a dumpster outside the Filefax building.
And in 2014, OCR signed an $800,000 settlement with Parkview Health System as a result of an incident in June 2009. In that breach, the paper medical records of 5,000 to 8,000 patients were left unattended in the driveway outside the home of a retired physician.
In some other cases, the Federal Trade Commission as well as OCR took action in the aftermath of breaches involving improper disposal of patient information.
For example, the two agencies reached a 2010 settlement with Rite Aid Corp., which agreed to pay a $1 million fine and take corrective action after some of its stores improperly disposed of prescription information in dumpsters.
Also, a $2.25 million settlement was reached in a similar case against CVS Caremark in February 2009.
Precautions When Moving
Kate Borten, president of security and privacy consultancy The Marblehead Group, says the SSM Health incident is a reminder that an organization's "security, privacy and/or compliance officer should be involved with facility moves and changes" to ensure sensitive records are not left behind.
"While paper medical records are typically treated with care, other documents may be overlooked and left exposed, as in this case," she notes.
Privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek, offers more advice: "Even with the widespread adoption of electronic health records, hospitals, provider practices and health plans are printing millions of pages of paper every month. A critical step for safeguarding PHI is to have a document management process that tracks, manages and stores PHI in all forms."
Organizations should develop and implement policies and procedures that create accountability for identifying what documents are being created, how they are being maintained and monitoring their secure storage or destruction, Holtzman stresses. They "should take their cue" from the HIPAA Privacy Rule requirements to develop and apply policies and procedures for having administrative, physical and technical safeguards to protect the confidentiality of PHI through its final disposition, he adds.
"Make it a management imperative," Holtzman suggests. "Create workforce accountability for proper handling of PHI in any form. Identify what are secure and proper methods of destruction and disposal of electronic media, hardware and paper documents. Train your workforce on those methods for secure destruction and disposal of PHI."
Disposal of Electronic PHI
Addressing another PHI disposal issue, OCR's latest cyber alert enewsletter, issued Tuesday, focuses on the risks posed by improper disposal of electronic devices containing PHI.
"Devices or media that need to be replaced should be decommissioned and disposed of securely to ensure that either the devices or media are destroyed or any confidential or sensitive information stored on such devices or media has been removed," OCR writes. "Improper disposal of electronic devices and media puts the information stored on such devices and media at risk for a potential breach" involving PHI and other sensitive data, the agency adds.