Medical Records Retrieved From Dumpster

October 23 , 2007 in Industry News

By Dann Denny | ddenny@heraldt.com

A Bloomington, IN, family physician said he’s removed the boxes filled with patients’ medical records he and his staff members had placed in and alongside a dumpster in the parking lot behind his office, but he refused to say specifically what he will do with them.

Dr. J.B. O’Donnell said he removed the records from the dumpster area Saturday morning, the same day a Herald-Times story was published about the records being spotted there by a passer-by.

“They will be disposed of in the proper way,” said O’Donnell Monday morning.

When asked if that meant he would have the records shredded, he said, “No comment.”

An hour later, O’Donnell hand-delivered to the Herald-Times a letter to the editor, in which he wrote that “our office decided to cover the costs of shredding the material, and this will be done in the nearest future.”

When asked why he placed the patients’ records in and alongside the dumpster rather than shredding them, he said, “This is a private housekeeping matter and none of anyone’s business.”

But Michael Rinebold, director of the Medical Licensing Board of Indiana, disagrees.

Rinebold said if an investigation is launched and O’Donnell is found to have violated the federal Privacy Rule under HIPAA, the Health Insurance Portability and Accountability Act, he could face civil and/or criminal penalties.

“He could be found liable for civil fines of $100 per violation up to $25,000 a year,” he said. “Criminal penalties could range up to $50,000 and a year in prison, or $100,000 and five years in prison if he committed a violation under false pretenses.”

Rinebold said the federal Privacy Rule requires that hospitals and doctors’ offices have reasonable safeguards in place to protect the privacy of patients’ identity and medical information.

“Reasonable safeguards will vary from practice to practice, depending on its size and the nature of the protected information it holds,” Rinebold said. “If the U.S. Health and Human Services office decides to investigate this case, it will be the agency that decides whether this physician disposed of his patients’ medical records in a reasonable manner.”

Rinebold added that if O’Donnell is found to have violated any state or federal rules, he could be further disciplined through the Indiana attorney general’s office.

In O’Donnell’s letter to the editor, he writes that many of the files in the dumpster referred to patients who are now dead. Rinebold said that is irrelevant.

“Nowhere in any of the HIPAA literature does it differentiate between living or dead patients,” Rinebold said. “People can steal a dead patient’s identity as easily as they can a patient who is alive. Doctors have a duty to protect their patients’ identity, whether they are alive or dead.”

Safeguards required

The U.S. Health and Human Services Web site says doctors must have written privacy policies and procedures in place, train their employees in how to follow them and apply appropriate sanctions against employees who violate them.

The site also says these safeguards “must prevent intentional or unintentional use or disclosure of protected health information in violation of the federal Privacy Rule,” adding that such safeguards “might include shredding documents containing protected health information before discarding them.”

The federal Privacy Rule does not specifically say patient documents must be shredded – just safeguarded.

Rinebold said once a hospital or doctor’s office learns it has unintentionally disclosed patient information to the general public, it must take appropriate action “to mitigate to the extent practical that disclosure.”

“Let’s say a hospital learned it disclosed 100 patient records on its Web site for half a day,” he said. “The hospital would have to shut down the Web site immediately, then send those 100 patients letters informing them that for a period of time their personal information was available to the public. They might also tell them they may want to visit a Web site where they can get a free credit report.”

Patients upset

Wilma Mann is one of several patients who expressed their displeasure with O’Donnell’s actions.

“I’m furious, and I’m frightened,” said Mann, a 74-year-old Bloomington resident. “I was a patient of both of those doctors, so my identity was out there in one of those boxes – with my Social Security number and all my personal information. You would think a doctor would know how to properly dispose of this kind of information, especially in this day and age.”

The medical records, all more than 11 years old, included patients’ names, addresses, birth dates, Social Security numbers, marital status, places of employment, insurance information and medical conditions ranging from heart murmurs to psychiatric disorders.

O’Donnell said some of the files in the dumpster contained information about his patients but most of them referred to patients of Dr. Steven Lewallen, who used to practice at 1920 E. Third St. – in the same building where O’Donnell currently practices. Lewallen now practices in Plymouth, Mich.

Rinebold said patients who wish to file a complaint against O’Donnell should call the consumer affairs division of the U.S. Health and Human Services office at 866-627-7748.