Remember the case in Illinois where Boyd Hospital had stored patient records in a building that was later sold as surplus? The hospital claimed it didn’t know the new owner was taking possession of the building, which is why the patient records were still in there when the new owner took possession of the premises. The hospital quickly re-secured the files.
In its investigation into the incident, OCR found:
A facility where the covered entity (CE) had stored its medical records since 1994 was sold to a third party and possession of this property was given to the new owner for five days, unbeknownst to the CE. The protected health information (PHI) involved in the breach included the clinical, demographic and financial information of 8,300 individuals. Upon discovery of the breach, the CE immediately retrieved all records at the facility. There was no evidence that the records were otherwise compromised. The CE provided breach notification to HHS, affected individuals, and the media. The CE retrained employees on its revised policies and procedures, including the proper storage of PHI and distribution of its revised policies and procedures. OCR obtained assurances that the CE implemented the corrective actions listed.
Does OCR just take entities’ word for how events unfolded? I wonder. In this case, the new owner had claimed that he and his realtor had made repeated calls to alert Boyd to the situation. Did OCR investigate that claim? While the hospital claimed it did not know, could it have known? Keep in mind that the hospital attempted to shift responsibility to the new owner and had reportedly filed a police report claiming that the records had been stolen. So… did OCR give Boyd a pass on what they could have/should have known?
If I had the time and resources, I’d file some FOIA requests with OCR – and not just about this case. I know OCR is more concerned with educating entities/bringing them into compliance than in punitive measures, but are they being too forgiving or too trusting sometimes?