Whether it be a delete-happy IT admin, a theft, or a glitch in your system, lost patient records or lost medical records can have an impact on your patients and can put your organization at risk for a HIPAA violation.
What should you do when you suspect that patient records have been inappropriately lost or destroyed?
Your first stop should be to determine whether the data destruction of medical records or patient records was a violation of company policy.
(1) Start by reviewing your organization’s data destruction policy and determine whether or not the deletion was actually in compliance with existing policies.
There are usually strict guidelines regarding how data must be destroyed so that it is no longer accessible.
For example, there is a significant difference between data that was destroyed through degaussing, which renders the data permanently unusable, versus a non-functioning hard drive being thrown away in the trash, which leaves the data accessible to someone who might find it. You will have less trouble to deal with if the data was destroyed in a method that rendered it completely unusable. For information on how to securely dispose of paper PHI, check out this guide from ProShred Security.
(2) Next, check out your data retention policy.
If your business has a HIPAA compliance program that says that it’s ok to delete data under certain conditions, then go with that. If after reviewing data destruction and retention policies you conclude that the data was destroyed inappropriately, you may have a HIPAA violation on your hands.
HIPAA regulations require covered entities to, “Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.” The focus here is on the availability component, which drives many of the policies for data backup, disaster recovery, and providing patients access to their PHI.
HHS states that “the data or information must be accessible and usable upon demand by an authorized person”, and that “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.”
What does the destruction of medical records or patient records mean for your organization?
If it turns out that a patient record was deleted and is completely unrecoverable, your organization has violated patients’ rights to access their information. On the other hand, if the data was lost and was not destroyed then the data is out there somewhere unsecured. This is not only a violation, but a potential breach of health information.
Data breaches have much more serious consequences than a violation, and require reporting to different agencies such as HHS. It will serve your organization immensely to perform a careful investigation of the incident and your policies so that you can err on the side of a violation, if possible.
Do you need help dealing with lost patient records, destroyed, or deleted data? Give Gazelle Consulting a call at (503) 389-5666 or email us at info@gazelleconsulting.org!
OR contact a healthcare attorney. (I’ll let you in on a little secret, I know which one is cheaper!)