Dumping of Medical Records Investigated by Attorney General’s Office

Recently an officer from the Indianapolis Metropolitan Police Department (IMPD) found a number of medical records in a recycling dumpster, accessible to the public, in Broad Ripple Park, Indianapolis.

A quantity of confidential documents were located in file folders in the dumpster which had been mixed up with newspapers and other paper and cardboard.

IMPD recovered the files and folders from the recycling dumpster. However, there is no way of knowing whether any documents had been removed by members of the public. It is also not transparent whether files had been dumped on a just one occasion, or whether material had been disposed of over an extended duration of time.

The Indiana Attorney General’s Office is now involved and attempts have been made to contact recycling and waste disposal companies who possibly may have come into contact with dumped medical data. If any further files and folders are discovered the attorney general’s office will arrange for the files to be collected and secured.

According to the police report, the files located contain highly sensitive data including patient names, addresses, health insurance information, and Social Security numbers. An inquiry is being conducted to determine who the files belong to, and how they came to be in the dumpster in Broad Ripple Park.

HIPAA requires all medical records to be disposed of safely when they are no longer required. Covered bodies and their business associates must ensure that paper files are destroyed and rendered no longer usable, unreadable, and indecipherable. In addition to this State laws in Indiana require personally identifiable information to be disposed of securely.

Covered bodies found to be guilty of improperly disposing of medical records could be hit with heavy fines and the Department of Health and Human Services’ Office for Civil Rights has, on a prior occasion, taken action against HIPAA-covered bodies that have been discovered to have improperly disposed of PHI. In June 2014, OCR reached a $800,000 settlement with Parkview Health System – which serves subscribers in Northern Indiana – after the company improperly disposed of medical information.

The Indiana attorney general can also take action against companies and individuals who do not dispose of confidential information securely. Indiana is one of a handful of states that has previously used the right to issue financial penalties for HIPAA violations. In early 2015, a fine of $12,000 was issued to former Kokomo dentist Joseph Beck for illegally dumping the files of almost 7,000 patients.

The Attorney General’s office is reviewing the breach and will issue further updates on the incident when further information is found. Indiana’s Disclosure of Security Breach law requires people to be notified of any breaches of personally identifiable information. Affected individuals will be advised of the breach in the coming weeks.