An Allina Health System HIPAA violation has been discovered that dates back to April 6, 2015. Documents containing the PHI of patients have been accidentally disposed of with regular trash instead of being sent for shredding.
Allina Health System HIPAA Violation Potentially Affects up to 6,100 Patients of the Isles Clinic
Several thousand patients of the Minneapolis Isles clinic run by Allina Health System have been notified that some of their Protected Health Information (PHI) may have been viewed by unauthorized individuals after it was discovered that documents containing PHI have been disposed of in regular trash bins for up to 6 months. The information potentially exposed includes patient names, addresses, medical record numbers, health insurance details, some clinical information, the last four digits of Social Security numbers, and in some cases, full Social Security numbers.
The Allina Health System HIPAA compliance violation may not be as severe as the OCR breach report suggests. While close to 6,100 patients were potentially affected, it was not actually possible to determine exactly which patients were impacted. Allina often printed out information about patients, although not for every patient who visited its clinic. Some members of staff disposed of PHI correctly and used the appropriate bins for printed information. Those documents would have been sent for shredding in accordance with HIPAA Rules. According to a statement released by Allina Health System spokesman, David Kanihan, most members of staff at the clinic did in fact dispose of documents correctly.
In cases such as this, a healthcare provider must err on the side of caution and alert all patients potentially affected, which in the case of the Allina Health System HIPAA violation was close to 6,100 individuals. Those individuals had visited the Isles Clinic in Minneapolis between April 6, 2015 and October 27, 2015 when it became apparent that some documents had been disposed of in incorrect bins.
In an effort to reduce the risk of patients suffering harm or loss as a result of the Allina Health System HIPAA violation, all those who were potentially affected have been offered a year of credit monitoring services without charge. That said, the probability of PHI falling into the hands of criminals is relatively low. The documents would have been taken from the trash bins and placed in dumpsters located within a locked complex. From there, the trash was taken to a city-owned refuse disposal center. All trash was then incinerated.
Since the risk of data being accessed by individual unauthorized to view the information is low, this is viewed by Allina as a technical breach of HIPAA rules rather than a data breach that places patients at risk. Action has already been taken to prevent similar incidents from occurring in the future. New bins are now being used which are clearly marked as being for confidential waste, and all paperwork disposed of in those bins will be sent for shredding.
Members of staff at the clinic have also been given further training on patient privacy, data security, and HIPAA rules covering the secure disposal of PHI.