Risk Management

Improper Disposal of Medical Records

Natalie Kelly, NAS Insurance Services/Lloyds Associate Vice President of Claims 


Violation of Health Care Privacy and Security Rules.


Settled without fines or penalties. Legal and patient notification costs totaled $85,000.

Case summary 

Employees of a physician disposed of medical records inappropriately by placing them into office recycling bins. Although the contents of the recycling bins were supposed to be shredded, these instructions were not communicated to the building’s janitorial services. As a result, the files were transferred to the building’s recycling area without being shredded. Although only approximately 500 patients were involved in the breach, the physician could not be sure which files had been placed in the recycling bins and which had not. Therefore, all of the physician’s 7,500 current and past patients had to be notified of the breach. The physician was also required to notify the Department of Health and Human Services (HHS), which responded by opening an investigation and requiring the physician to implement a program to comply with Privacy and Security Rules. Once its investigation had been completed, HHS dismissed the matter without assessing fines or penalties against the physician.


The insured’s responsibility to safeguard patients’ protected health information was not met. Failure to adequately supervise the destruction of the records created a scenario that could have resulted in a significant fine under HIPAA Privacy or other regulations. Although no fine or penalty was imposed, there were significant legal and patient notification costs related to compliance with privacy laws, and the insured’s staff were forced to deal with unwanted distractions that took time away from their normal duties.

Risk management principles 

Protecting patients’ health information should be given a high priority to avoid violations of HIPAA, HITECH, and other health information regulations. Avoid outsourcing or delegating the destruction of files or records to others unless you or your staff members are present to supervise the shredding of files or the destruction of data storage devices. OMIC’s professional liability policy includes coverage for this type of event. Under the Broad Regulatory Protection and eMD Cyber Liability benefits, there is a $50,000 limit to pay for legal and patient notification costs related to alleged HIPAA Privacy and other regulatory and data breach violations. See Policy Issues for more information. Learn about the 14 Additional Benefits in your OMIC policy that will protect you from these (and related) types of exposures.

Please refer to OMIC's Copyright and Disclaimer regarding the contents on this website

Leave a comment

Six reasons OMIC is the best choice for ophthalmologists in America.

Largest insurer in the U.S.

OMIC is the largest insurer of ophthalmologists in the United States and we've been the only physician-owned carrier to continuously offer coverage in all states since 1987. Our fully portable policy can be taken with you wherever you practice. Should you move to a new state or territory, you're covered without the cost or headache of applying for new coverage.