Back in 2006, WTHR News in Indianapolis earned themselves kudos a Peabody award for their investigative reporting on improper disposal of pharmacy records. Their reports also led to the state filing charges against some of the pharmacies. Sadly, prescription records are still being dumped improperly, although this time it seems to be by a medical center and not necessarily a pattern and practice of callous disregard for patient privacy.
WIBC in Indiana reports:
Personal documents that contained prescriptions for powerful pain medication and patient information were discovered on Wednesday in a dumpster, near an Indianapolis medical center.
A viewer tip led RTV6 to the Indiana University Medical Group office building near Glendale, where she found a box full of sensitive medical documents.
The box contained hundreds of papers, including copies of current driver’s licenses, patient information, signatures and prescriptions.
It’s great that members of the public recognize that such documents should be secured and disposed of properly and that they contact news media, who are generally able to get a response from authorities. In this case, the box was removed before investigators got there.
IU Medical Group officials emailed a statement to RTV6 in response to the documents.
“Patient information was accidentally discarded into a waste receptacle outside of one of our offices instead of the shredder in which it was intended. We took swift and immediate action to clean the receptacle and destroy the documents,” the statement read.
So… was this a simple error that they realized on their own and immediately corrected? Or was it only because they saw someone snooping around in the box that they went out to check? And should there be any consequences if this was just a short-lived exposure or breach?
The attorney general’s office told RTV6 that the incident did not fall under a violation of Indiana’s data breach laws, but it is reviewing to see if any Health Insurance Portability and Accountability Act laws were violated.
I would think that HIPAA was violated by the very fact that at least one person was able to see others’ PHI. But how costly should this type of breach or situation be?