Let’s not forget the physical threats to protected health information. This news report about a fire in Hillsdale, New York destroying the Hillsdale Healthcare medical practice should give you pause. Is this scenario anywhere in your risk assessment?
Heather Bellow reports on the damage to a strip mall from the fire, but I’m going to focus on the medical practice part of her reporting:
Bledsoe was distraught Tuesday, having lost everything in the blaze, including medical records and equipment. She was insured, but she said depreciation will cut into her payments, and now she’s facing serious problems.
“My patients are already jumping ship,” she said. “When I rebuild, how will I do that? Right now I have no income. I don’t know where to go from here.”
That sounds totally overwhelming.
But let’s go back to that comment about losing all medical records. How far back do those records go? Did the practice lose 15 years’ worth of records, or are most records in storage off-site? What was the plan here and what obligations might she now have under HIPAA? I cannot imagine HHS really clobbering a small facility like this or hitting them with any monetary penalty, but there should be questions, at the very least. And if you haven’t reviewed your risk assessment when it comes to physical threats like fire, flood, storm, or burglary, maybe this would be a good time?