Risk Management



Improper Disposal of Medical Records

Natalie Kelly, NAS Insurance Services/Lloyds Associate Vice President of Claims 

Allegation 

Violation of Health Care Privacy and Security Rules.

Disposition

Settled without fines or penalties. Legal and patient notification costs totaled $85,000.

Case summary 

Employees of a physician disposed of medical records inappropriately by placing them into office recycling bins. Although the contents of the recycling bins were supposed to be shredded, these instructions were not communicated to the building’s janitorial services. As a result, the files were transferred to the building’s recycling area without being shredded. Although only approximately 500 patients were involved in the breach, the physician could not be sure which files had been placed in the recycling bins and which had not. Therefore, all of the physician’s 7,500 current and past patients had to be notified of the breach. The physician was also required to notify the Department of Health and Human Services (HHS), which responded by opening an investigation and requiring the physician to implement a program to comply with Privacy and Security Rules. Once its investigation had been completed, HHS dismissed the matter without assessing fines or penalties against the physician.

Analysis

The insured’s responsibility to safeguard patients’ protected health information was not met. Failure to adequately supervise the destruction of the records created a scenario that could have resulted in a significant fine under HIPAA Privacy or other regulations. Although no fine or penalty was imposed, there were significant legal and patient notification costs related to compliance with privacy laws, and the insured’s staff were forced to deal with unwanted distractions that took time away from their normal duties.

Risk management principles 

Protecting patients’ health information should be given a high priority to avoid violations of HIPAA, HITECH, and other health information regulations. Avoid outsourcing or delegating the destruction of files or records to others unless you or your staff members are present to supervise the shredding of files or the destruction of data storage devices. OMIC’s professional liability policy includes coverage for this type of event. Under the Broad Regulatory Protection and eMD Cyber Liability benefits, there is a $50,000 limit to pay for legal and patient notification costs related to alleged HIPAA Privacy and other regulatory and data breach violations. See Policy Issues for more information. Learn about the 14 Additional Benefits in your OMIC policy that will protect you from these (and related) types of exposures.

Please refer to OMIC's Copyright and Disclaimer regarding the contents on this website

Leave a comment



Six reasons OMIC is the best choice for ophthalmologists in America.

#1. Consistent return of premium.

Publicly-traded insurance companies exist to make profits for shareholders while physician-owned carriers often return profits to their policyholders. Don’t underestimate this benefit; it can add up to tens of thousands of dollars over the course of your career. OMIC has one of the most generous dividend programs for ophthalmologists and has returned more than $20 Million to our members through dividends.

61864684