Business Week reported earlier this week that the medical records of 28 Central Florida Regional Hospital patients were included in a box purchased for $20 from a surplus store by a teacher for use as "scrap paper" in her fourth grade classroom. According to reports, the "scrap paper" included detailed medical histories, phone numbers, addresses, Social Security numbers and insurance information of patients who had received treatment at the hospital.
The hospital explains that last December it shipped three boxes of medical records via UPS to a Medicare auditor located in Las Vegas. When one of the boxes was not received, the auditor contacted hospital officials. The hospital then got in touch with UPS and attempted to determine the location of the third box. The hospital’s risk manager acknowledged that during the time it was working with UPS to resolve the issue, the hospital did not contact the potentially affected patients, despite the fact that it had concerns of the possibility of wrongful disclosure if the box got into the wrong hands. As luck would have it, it did – although it could have been much worse than ending up in the hands of a fourth grade teacher.
The mishap raises a few interesting questions. One is whether the hospital was required to notify patients that a box containing their medical records did not reach its intended destination. Another is whether UPS had any obligation to assure that a box full of confidential medical records did not end up at a surplus store for resale as scrap paper. I will offer my thoughts with regard to the first question on this post. I invite you to check back for my response to the second question.
Under HIPAA, a covered entity is required to reasonably safeguard its patients’ protected health information from any intentional or unintentional use or disclosure that is in violation of the Privacy Rule. In addition, a covered entity is required to mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of the information that would violate the Privacy Rule. 45 C.F.R. 164.530(f). HIPAA does not contain a mandatory security breach notification requirement. Additionally, most state security breach notification laws only require the individual to be notified where the breach potentially affects their electronic information.
The situation here involved paper records, and so may have fallen outside of any applicable state breach notification laws. In addition, it appears from reports that during the hospital’s investigation into the “lost” box, UPS never confirmed that the box was no longer in its control or, otherwise, that it had been forwarded to the surplus store. Apparently that information finally came to light after-the-fact. As such, the hospital likely determined that it was premature to notify individuals where it was possible that the box was simply making its way back to the hospital through the UPS return system. If the hospital had decided to notify individuals of the situation, it would likely have been faced with significant negative publicity for potentially no reason.
As it turns out, however, the box did end up in unintended hands. In hindsight, many may conclude that the hospital should have notified the individuals as soon as the box failed to reach the Medicare auditor. If the “lost” box of records ended up in the hands of someone who would use the information for a sinister purpose, the outcome for the affected individuals could have been much worse. However, it is likely that if the sale of "scrap paper" had not occurred, UPS would have eventually concluded that the box was indeed lost. Then, the hospital may have considered sending a notification to patients if it concluded that there was a likelihood that that information could be used by some third party for an improper purpose.
Some may ask what "safeguards" could be put in place to prevent mailed medical records from ending up in unintended hands. A few come to mind. One is having a clearly marked return address to help undeliverable boxes be returned to the proper sender. Another is using a label marking the package as “CONFIDENTIAL” to increase awareness of the sensitive nature of its contents. Finally, use a mail carrier with a system that can allow a package to be tracked down.
Check back next week to find out my thoughts on: (1) Did UPS have any HIPAA obligations to assure that the medical records did not end up at a surplus store for resale? and (2) Is UPS a business associate of the hospital?