Another HIPAA breach in Texas has been reported, and this time it involves the improper storage of PHI – highly confidential information which in the wrong hands could be devastating for the patients concerned. The data that could potentially have been exposed includes abortion clinic records along with Social Security numbers and personally identifiable information.
KTRH – a radio station in Houston – reported that it had been informed of a case of improper storage of PHI after the owner of a local warehouse contacted the station to report that she had found a number of boxes of confidential medical records that appeared to belong to a Houston abortion clinic.
Esmeralda Cedillo owns a warehouse in the city and discovered the boxes of files while she was walking her dog around the facilities. The warehouse had not been used for seven years and was secured; however her dog entered the premises and started dragging out what appeared to be medical files from the storage facility.
Cedillo wondered where the files had come from, and when she entered the warehouse she discovered a number of boxes of files that did not belong to her. She also found a stash of opiate drugs along with the files. Not knowing what do, but realizing that the information has private and confidential, Cedillo contacted the radio station.
Cedillo claims that the files must have been put in the warehouse by a relative who had previously worked at an abortion clinic; however the two have long since lost touch. The abortion clinic, which was not named in the report, had been closed for a number of years.
Cedillo has now passed all of the files over to the law firm that was overseeing the closure of the clinic, and the data has now been secured. Cedillo said that she had not viewed the files apart from a small number that she looked at when she was trying to determine what the paperwork was. The warehouse owner has received a financial reward from the law firm for ensuring that the data was not divulged.
Under federal HIPAA compliance regulations, when Protected Health Information (PHI) is no longer required it must be permanently destroyed or rendered unreadable. The Security Rule also demands that physical, administrative and technical safeguards are used to protect PHI. There appears to be some violations of HIPAA Rules involved in this Texas HIPAA breach and the OCR and Texas Attorney General may choose to investigate the matter and attempt to hold the person responsible financially accountable for their actions.
However, there may be an explanation for the stored files. Individual states can implement their own data security laws, provided that they do not decrease the level of protection that is demanded by federal data security laws. In Texas, PHI cannot be destroyed as soon as it is not deemed not to be required any longer. Certain medical records must be kept for a period of 7 years after the last treatment was given to a patient.