Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients and can put your organization at risk for a HIPAA violation. So what should you do when you suspect that patient records have been inappropriately lost or destroyed?
Your first stop should be to determine whether the data destruction was a violation of company policy. Start by reviewing your organization’s data destruction policy and determine whether or not the deletion was actually in compliance with existing policies. There are usually strict guidelines regarding how data must be destroyed so that it is no longer accessible. For example, there is a significant difference between data that was destroyed through degaussing, which renders the data permanently unusable, versus a non-functioning hard drive being thrown away in the trash, which leaves the data accessible to someone who might find it. You will have less trouble to deal with if the data was destroyed in a method that rendered it completely unusable.
Second, check out your data retention policy, If your business has a HIPAA compliance program that says that it’s ok to delete data under certain conditions then go with that. If after reviewing data destruction and retention policies you conclude that the data was destroyed inappropriately, you may have a HIPAA violation on your hands.
HIPAA regulations require covered entities to, “Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.” The focus here is on the availability component, which drives many of the policies for data back-up, disaster recovery, and providing patients access to their PHI. HHS states that “the data or information must be accessible and usable upon demand by an authorized person” and that “an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set.”
So what does that mean for you?
If it turns out that a patient record was deleted and is completely unrecoverable, your organization has violated patients rights to access their information. On the other hand if the data was lost and was not destroyed then the data is out there somewhere unsecured, which is not only a violation, but a potential breach of health information. Data breaches have much more serious consequences than a violation, and require reporting to different agencies such as HHS. It will serve your organization immensely to perform a careful investigation of the incident and your policies so that you can err on the side of a violation, if possible.
If you need help dealing with lost, destroyed, or deleted data contact Gazelle Consulting, LLC at (503) 389-5666.