The Allina Health System Minneapolis Isles clinic has notified around 6,000 patients of a breach of their Protected Health Information (PHI).
The clinic, located at 2800 Hennepin Avenue, found instances of improper PHI disposal had occurred after documents including sensitive information were found in regular garbage. HIPAA rules dictate that all documents containing PHI to be rendered unreadable, indecipherable, and incapable of being reconstructed prior to being destroyed.
The HIPAA breach is not understood to have resulted in any patient health data being viewed by unauthorized people, although the clinic is unable to guarantee that to be the case.
According to a release by Allina Spokesman, David Kanihan, the incident is thought only to be a “technical breach of unsecured protected health information.” Because a danger does exist, out of an abundance of caution Allina Health System will be offering all affected patients a year’s credit for monitoring services.
The data, possibly exposed, included names of patients, their mailing addresses, dates of birth, health plan details, medical record numbers, the last four digits of Social Security numbers, and some clinical information. However, since some health plans use members’ full social security numbers as their health insurance IDs, a limited number of patients have possibly had their full SSN exposed.
This improper disposal of PHI was found on October 27, 2015. While hospital policies required documents containing PHI to be got rid of in secure shredding bins, some had been placed in containers that were emptied into regular trash dumpsters. Those dumpsters were private and only utilized by the clinic and were not accessible to the public. The dumpsters were placed in a locked garage within the clinic grounds. Trash was gathered weekly and taken to a garbage processing facility. The trash was subsequently sent to be burned.
An investigation showed that the improper dumping of PHI potentially dated back to April 6, 2015, although that only happened “in limited circumstances.” It is unclear how many patients had their data exposed by the breach, as it was impossible to deduce which patients’ information were listed on the improperly of documents.
In order to ensure that all patients affected by the improper PHI dumping were issued a breach notification letter, Allina Health System took the decision to send letters to all patients who visited the clinic between April 6, and October 27. It is probable that only a small amount of those 6,000 patients had their PHI exposed.
The only patients that would have been affected are those who had their PHI printed on documents. This was not something that occurred with every patient according to Kanihan. Most members of staff were also conscious of the rules covering PHI disposal and would have placed the documents in the correct containers, further minimizing the number of patients likely to have been affected.
To lessen the risk of further incidents such as this occurring in the future, Allina Health System has replaced its trash bins with containers that have been clearly marked for shredding. Employees of the clinic have also been retrained on the importance of using the correct bins for any documents containing patient PHI.