Improper Disposal of PHI: Texas Attorney General Takes Action

A legal case has been filed by the Texas attorney general’s office against Alliance Health Management & Consulting Inc., for the improper disposal of Protected Health Information (PHI) of patients.

The home healthcare management company is no longer operating, having ceased trading in July 2009; however in 2014, documents with the PHI of patients were found to have been discarded in a dumpster without first having been rendered unreadable.

The HIPAA Privacy Rule requires covered bodies to implement physical safeguards to keep all forms of PHI secured at all times. When PHI is no longer needed by a covered body it must be disposed of securely (45 CFR 164.310(d)(2)(i) and (ii)). PHI has to be destroyed, or rendered unreadable and indecipherable. It must not be possible for any element of PHI to be reconstructed in any way.

The exact method that must be used to terminated records is not stipulated by HIPAA Rules, although for physical records the OCR recommends pulping, burning, shredding, or pulverizing. Medical records and other data covered under HIPAA Rules must not be disposed of in dumpsters or with regular trash, as the data could be found and viewed. It does not matter whether the covered body is still in business or has ceased trading. A covered body remains responsible for the records until such time that they are no longer needed and can legally be disposed of.

Each state has different laws governing the length of time that medical records must be stored. In Texas, medical records must be kept for a duration of at least 7 years following the last date of treatment. Since Alliance Health Management & Consulting Inc., stopped trading in July 2009, at least some of the records would have needed to be maintained until July 2016.

On July 14, 2014, the medical records were found in a recycling dumpster. Since no effort had been made to render the data unreadable, HIPAA rules were violated. However, the lawsuit was taken for breaches of state laws covering identity theft prevention, and also for the company having participating in “false, misleading, and deceptive acts and practices.” A civil penalty of up to $20,000 is being pursued by the state for each violation. The lawsuit has been taken against Alliance Health Management & Consulting Inc., and its former director, Maria Olveda.

The patient data exposed were highly sensitive and included Social Security numbers, patient names, and dates of birth. The exact data normally sought by identity thieves. Had the records not been secured by the Northside Independent School District Police, the risk of patients suffering financial fraud would have been high. The data contained in the files also included highly sensitive medical data which could possibly have been used to discriminate against patients. Details of counselling sessions were included in the files, along with information provided by patients in confidence during those sessions. Information regarding drug abuse was also present in some patient files, in addition to personal medical histories.

The records were found in a recycling container by a member of the public who made it known to the authorities. The files were gathered by NSID police, before being sent to the Texas branch of the HHS.  All patient records are believed to have been secured in time to prevent data being  misused; however, that could easily have not been the case, hence the lawsuit has been filed.