An Illinois healthcare provider, Thomas H. Boyd Memorial Hospital has potentially breached HIPAA compliance rules on data storage by selling a property and failing to collect the medical records that were being stored there prior to property ownership changing hands.
The Health Insurance Portability and Accountability Act places a number of requirements on holders of Protected Health Information (PHI). The Security Rule stipulates that technical, administrative and physical controls must be used to safeguard PHI and protect patient privacy, although it only applies to data in electronic form.
HIPAA Privacy Rules on data storage apply to physical records and their digital counterparts, and just as network and email servers must be kept under lock and key, so must paper records, films and other physical records. In this case, one of the reasons for the potential HIPAA violations is the keys were no longer held by the healthcare provider once the property had been sold. The owner, quite within his legal right, changed the locks.
When property ownership was transferred to the new owner of the property, ownership of the contents of the property also changed hands. The contents included the paper medical files of approximately 8,300 individuals.
Edward Crone, a local resident, purchased an old ambulance shed that was being used as a hospital storage facility. The property contained desks and chairs and other office equipment along with a number of medical files. The owner allegedly informed the hospital on numerous occasions, but the hospital was slow to respond and collect the records. By the time someone was sent to collect the files, the property had been sold.
A spokesperson for the hospital said “the hospital was aware of the sale of the building, it was not informed there was a buyer or of the closing date.”
The records have now been returned to the rightful owner and the incident resulted in no disclosure of information; however the Department of Health and Human Services’ (HHS) Office for Civil Rights may not be content to leave the matter there. There appears to be at least one HIPAA violation. How the OCR views the matter is open to speculation.
HIPAA Rules on Data Storage
According to 45 CFR § 164.530 (c) of the HIPAA Privacy Rule:
(1) Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
(2) Implementation specification: safeguards.
(i) A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.