Improper Disposal of PHI: Texas Attorney General Takes Action

by | Nov 26, 2015

A legal case has been filed by the Texas attorney general’s office against Alliance Health Management & Consulting Inc., for the improper disposal of Protected Health Information (PHI) of patients.

The home healthcare management company is no longer operating, having ceased trading in July 2009; however in 2014, documents with the PHI of patients were found to have been discarded in a dumpster without first having been rendered unreadable.

The HIPAA Privacy Rule requires covered bodies to implement physical safeguards to keep all forms of PHI secured at all times. When PHI is no longer needed by a covered body it must be disposed of securely (45 CFR 164.310(d)(2)(i) and (ii)). PHI has to be destroyed, or rendered unreadable and indecipherable. It must not be possible for any element of PHI to be reconstructed in any way.

The exact method that must be used to terminated records is not stipulated by HIPAA Rules, although for physical records the OCR recommends pulping, burning, shredding, or pulverizing. Medical records and other data covered under HIPAA Rules must not be disposed of in dumpsters or with regular trash, as the data could be found and viewed. It does not matter whether the covered body is still in business or has ceased trading. A covered body remains responsible for the records until such time that they are no longer needed and can legally be disposed of.

Each state has different laws governing the length of time that medical records must be stored. In Texas, medical records must be kept for a duration of at least 7 years following the last date of treatment. Since Alliance Health Management & Consulting Inc., stopped trading in July 2009, at least some of the records would have needed to be maintained until July 2016.

On July 14, 2014, the medical records were found in a recycling dumpster. Since no effort had been made to render the data unreadable, HIPAA rules were violated. However, the lawsuit was taken for breaches of state laws covering identity theft prevention, and also for the company having participating in “false, misleading, and deceptive acts and practices.” A civil penalty of up to $20,000 is being pursued by the state for each violation. The lawsuit has been taken against Alliance Health Management & Consulting Inc., and its former director, Maria Olveda.

The patient data exposed were highly sensitive and included Social Security numbers, patient names, and dates of birth. The exact data normally sought by identity thieves. Had the records not been secured by the Northside Independent School District Police, the risk of patients suffering financial fraud would have been high. The data contained in the files also included highly sensitive medical data which could possibly have been used to discriminate against patients. Details of counselling sessions were included in the files, along with information provided by patients in confidence during those sessions. Information regarding drug abuse was also present in some patient files, in addition to personal medical histories.

The records were found in a recycling container by a member of the public who made it known to the authorities. The files were gathered by NSID police, before being sent to the Texas branch of the HHS.  All patient records are believed to have been secured in time to prevent data being  misused; however, that could easily have not been the case, hence the lawsuit has been filed.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy