A recent breach of HIPAA reported in the news reinforces the need for employers to have and monitor document destruction policies, including the policies of its service providers. BAS has a standing policy of shredding all paper documents with personal identifying information.
Litton & Giddings Radiological Associates, a radiology practice with multiple locations in Missouri, contracted its patient billing to an outside billing company. The janitorial services provider for the billing company mistakenly removed documents from a locked shred bin and placed them in another locked container with other recyclable materials. The documents were not shredded before being transferred to the universal recycling container. The locked container was sent to a recycling center where the items were sorted for recycling and eventually destroyed. The recycling process was largely automated, but facility employees occasionally manually sorted materials and might have viewed the patient billing records.
While it was not clear how many billing records were sent to the recycling center, it could have been records for up to 13,000 patients.
LGRA determined that there could have been a potential breach under the HITECH amendments to HIPAA and notified all of their patients with billing activity during the time period at issue. HITECH requires notification of a breach of unsecured protected health information if the unauthorized access of that information could cause the person financial or reputational harm.
This recent event highlights the importance of monitoring all processes that involve PHI. BAS has a standard practice of shredding paper containing PHI or sensitive information. Paper with PHI that must be retained is kept secure with physical and administrative safeguards.