Loni Blandford reports about yet another discovery of medical records from a defunct practice or entity just dumped without shredding:
From credit cards applications to patient’s name, addresses and even social security numbers. All that information was just sitting next to a dumpster in a parking lot near Buffalo Drive and Washington Avenue.
[…]
There were several doctor’s names in the paperwork. One of them is Dr. Robert Troell. …. Dr. Troell says he used to work at Pure Med Spa, one of the companies whose name was listed on the documents in the boxes. He says he quit about three years ago.
“In the state of Nevada there is a guideline that you have to keep records for five years and you have to get rid of them in a ethical, confidential format,” said Dr. Troell.
Pure Med Spa’s website shows they had a location at the Galleria at Sunset, but the phone number is disconnected.
Action News learned from calling their office in Toronto that there aren’t any Pure Med Spas still open in the United States.
Another business among the paperwork, Brite Smile Brite Skin, also didn’t have a working number. Their address shows they were once at the Fashion Show Mall but officials there couldn’t confirm if they were ever a tenant.
Read more on KTNV.
HHS has primarily taken a remedial/educative approach in its investigation of breaches involving protected health information, but it has gotten involved in some huge cases involving pharmacy chains that did not adequately protect customer/patient prescription information. But what can/should HHS do in cases where businesses or entities fold or close and just leave records behind? Could HHS impose civil penalties and fines? I would think so, and maybe they should consider issuing a big fine in some case to send a message that would get picked up by national media. But even if they wanted to do that, how many of these incidents never even come to their attention because the entity, having folded or gone bankrupt, doesn’t report the breach?
To be clear, I do not know whether the entities involved in this particular incident are covered entities under HIPAA. And some incidents might be more appropriate for states to investigate and handle. The Nevada State Board of Medical Examiners got involved in this particular case, but if this happened in your state, what state agency or authority would get involved and protect you? What state agency would take possession of the abandoned records? What state agency would investigate the breach and take legal action against the entity, if indicated? Do you know?