Header graphic for print
In-house Access Insight & Commentary for In-House Counsel Worldwide

Disposing of Protected Health Information Under HIPAA and Notification Requirements Resulting From a Breach

Posted in Ethics & Compliance

Guest blogger: Anthony Palazzo is general counsel for a global private holding company in Durham, N.C. He is also a member of ACC New Jersey.

As an in-house counsel, I am used to random questions. A recent one was: What do I do with my garbage? It did not deal with toxic, hazardous waste or old financial records. It concerned third party personal health records maintained on a computer. Oh boy.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) imposes standards regarding the privacy and security of protected health information (PHI) that is transmitted or maintained in electronic, written or oral form (not including employment records held by an employer). This information relates to an individual’s past, present or future physical or mental health, an individual’s provision of health care and/or past, present or future payment for the provision of healthcare.

And by the way, what do we do if one of our employees steals some information concerning one of our patients? The plot thickens.

Let’s start with the garbage.

In March 2013, the Department of Health and Human Services (HHS) issued the Code of Federal Regulations Title 45 – Public Welfare. In part, PHI records must be disposed in a manner consistent with HIPAA’s standards. Physician practices must establish policies and procedures to ensure electronic media that stores patient health information is buried in a landfill or other appropriate entity that performs such functions. In the alternative, where there is paper, the physician practice must have a specific shredding procedure or engage a third party administrator to manage document and media shredding of any patient health information. Further examples of appropriate methods include shredding, burning or decomposing the PHI such that it is unreadable or indecipherable, cannot otherwise be reconstructed and is exposed to a strong magnetic field rendering it unreadable.

What about photocopiers, fax machines and other devices? Whether intentionally or unintentionally, PHI stored in photocopiers, fax machines and other devices is subject to HIPAA’s privacy and security standards. Although these devices generally are not relied upon for storage and access to stored information, physicians should be aware of the capabilities of these devices to store PHI. A physician must ensure that any PHI stored on these devices is protected and secured from inappropriate access. They must monitor and restrict physical access to a photocopier or a fax machine that is used for copying or sending PHI. The physician or office manger should also be sure that all PHI is eliminated before removing any photocopier, fax machine or other device from the premises at the end of its lease term.

Now, take for example a rogue employee who takes home a patient’s file with valued personal information. Well, residents of New Jersey are protected not only by HIPAA, but also by a general information or data breach notification statute. This applies to any business, company or organizational entity that conducts business in New Jersey or maintains records containing personal information of New Jersey residents. Please note that the statute does not cover data that is encrypted or otherwise unreadable, but the hard file was probably not encrypted.

Assuming the information is not encrypted, then it must also be the type of information that we would reasonably expect to be considered private. Now a person’s personal health information is of course private and subject to HIPAA, but what if it is a new patient? In New Jersey, we look at the whole and not the parts. The statute does exclude publicly available information from either federal, state or local government records, televised, radio, print, Internet and other media.

So, what do we do if it is determined that there was some PHI and enough personal information to say the file contained private information that invokes the New Jersey general information or data breach notification statute?

We must first call the New Jersey State Police. Following, we must notify the affected person. We do not have to notify anyone else under HIPAA since it was only one person and we do not have to notify any consumer reporting agencies under New Jersey law since it was not more than 1,000 people. However, we are not totally out of the woods.

New Jersey is still considered to be a consumer friendly state. If we are found to have conducted willfully negligent activity, we as the guardians of our patients’ private information may be subject to civil penalties.

Be so advised.