One Man's Scrap Paper Is Another Man's Treasure (part 1)
Business Week reported earlier this week that the medical records of 28
The hospital explains that last December it shipped three boxes of medical records via UPS to a Medicare auditor located in
The mishap raises a few interesting questions. One is whether the hospital was required to notify patients that a box containing their medical records did not reach its intended destination. Another is whether UPS had any obligation to assure that a box full of confidential medical records did not end up at a surplus store for resale as scrap paper. I will offer my thoughts with regard to the first question on this post. I invite you to check back for my response to the second question.
Under HIPAA, a covered entity is required to reasonably safeguard its patients' protected health information from any intentional or unintentional use or disclosure that is in violation of the Privacy Rule. In addition, a covered entity is required to mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of the information that would violate the Privacy Rule. 45 C.F.R. 164.530(f). HIPAA does not contain a mandatory security breach notification requirement. Additionally, most state security breach notification laws only require the individual to be notified where the breach potentially affects their electronic information.
The situation here involved paper records, and so may have fallen outside of any applicable state breach notification laws. In addition, it appears from reports that during the hospital's investigation into the “lost” box, UPS never confirmed that the box was no longer in its control or, otherwise, that it had been forwarded to the surplus store. Apparently that information finally came to light after-the-fact. As such, the hospital likely determined that it was premature to notify individuals where it was possible that the box was simply making its way back to the hospital through the UPS return system. If the hospital had decided to notify individuals of the situation, it would likely have been faced with significant negative publicity for potentially no reason.
As it turns out, however, the box did end up in unintended hands. In hindsight, many may conclude that the hospital should have notified the individuals as soon as the box failed to reach the Medicare auditor. If the “lost” box of records ended up in the hands of someone who would use the information for a sinister purpose, the outcome for the affected individuals could have been much worse. However, it is likely that if the sale of "scrap paper" had not occurred, UPS would have eventually concluded that the box was indeed lost. Then, the hospital may have considered sending a notification to patients if it concluded that there was a likelihood that that information could be used by some third party for an improper purpose.
Some may ask what "safeguards" could be put in place to prevent mailed medical records from ending up in unintended hands. A few come to mind. One is having a clearly marked return address to help undeliverable boxes be returned to the proper sender. Another is using a label marking the package as “CONFIDENTIAL” to increase awareness of the sensitive nature of its contents. Finally, use a mail carrier with a system that can allow a package to be tracked down.
Check back next week to find out my thoughts on: (1) Did UPS have any HIPAA obligations to assure that the medical records did not end up at a surplus store for resale? and (2) Is UPS a business associate of the hospital?
