Pennsylvania Obs/Gyn Clinic PHI Breached Due to Improper Disposal

Paper files from Women’s Health Consultants, an obstetrics and gynecology practice that had centers in South Whitehall Township and Hanover Township, PA  have been dumped at a recycling center in Allentown, Pennsylvania.

The files – containing names, Social Security numbers, and medical histories, including details of cancer diagnoses and sexually transmitted diseases – seem to have come from the firm which is no longer operating.

If it not clear these files came to be dumped at the recycling center as the container where the records were found was not covered by surveillance cameras.

The recycling center does have a securely locked recycling container where sensitive documents that have confidential information can be left securely, but that container was not used. The records were dumped in a container where they could be accessed by unauthorized persons.

The individual who identified the PHI left an anonymous tip on the non-emergency line of the Allentown communication center. As reported by The Morning Call, a city employee went to the recycling center and placed the records further into the container, so they were no longer seen by members of the public. The container has since been moved on to a truck. The container will be taken by the truck to a recycling firm.

The Pennsylvania attorney general’s office has been made aware of the privacy breach, although it is unclear whether an investigation into the incident has been kicked off or not.

HIPAA requires all PHI holding patients’ protected health information to be destroyed of securely, rendering all PHI unreadable and indecipherable, so that it cannot be put back together. For paper records, this would usually involve shredding, pulping, or setting fire to the files. If that process is to occur remotely, the records should be made safe while on the move to ensure they cannot be accessed by unauthorized persons.

Failing to dispose of such records securely can attract a massive financial penalty, varying from $100 to $50,000 per instance, up to a maximum fine of $1,500,000.

The Department of Health and Human Services’ Office for Civil Rights has, previously, punished healthcare companies for improperly disposing of PHI. During 2015, Cornell Prescription Pharmacy made a settlement an improper disposal case with OCR for a fine of $125,000.

Author: Security News