Improper Disposal of Medical Records

Natalie Kelly, NAS Insurance Services/Lloyds Associate Vice President of Claims

Allegation

Violation of Health Care Privacy and Security Rules.

Disposition

Settled without fines or penalties. Legal and patient notification costs totaled $85,000.

Case summary

Employees of a physician disposed of medical records inappropriately by placing them into office recycling bins. Although the contents of the recycling bins were supposed to be shredded, these instructions were not communicated to the building’s janitorial services. As a result, the files were transferred to the building’s recycling area without being shredded. Although only approximately 500 patients were involved in the breach, the physician could not be sure which files had been placed in the recycling bins and which had not. Therefore, all of the physician’s 7,500 current and past patients had to be notified of the breach. The physician was also required to notify the Department of Health and Human Services (HHS), which responded by opening an investigation and requiring the physician to implement a program to comply with Privacy and Security Rules. Once its investigation had been completed, HHS dismissed the matter without assessing fines or penalties against the physician.

Analysis

The insured’s responsibility to safeguard patients’ protected health information was not met. Failure to adequately supervise the destruction of the records created a scenario that could have resulted in a significant fine under HIPAA Privacy or other regulations. Although no fine or penalty was imposed, there were significant legal and patient notification costs related to compliance with privacy laws, and the insured’s staff were forced to deal with unwanted distractions that took time away from their normal duties.

Risk management principles

Protecting patients’ health information should be given a high priority to avoid violations of HIPAA, HITECH, and other health information regulations. Avoid outsourcing or delegating the destruction of files or records to others unless you or your staff members are present to supervise the shredding of files or the destruction of data storage devices. OMIC’s professional liability policy includes coverage for this type of event. Under the Broad Regulatory Protection and eMD Cyber Liability benefits, there is a $50,000 limit to pay for legal and patient notification costs related to alleged HIPAA Privacy and other regulatory and data breach violations. See Policy Issues for more information. Learn about the 14 Additional Benefits in your OMIC policy that will protect you from these (and related) types of exposures.

Please refer to OMIC's Copyright and Disclaimer regarding the contents on this website

Six reasons OMIC is the best choice for ophthalmologists in America.

Best at defending claims.

An ophthalmologist pays nearly half a million dollars in premiums over the course of a career. Premium paid is directly related to a carrier’s claims experience. OMIC has a higher win rate taking tough cases to trial, full consent to settle (no hammer) clause, and access to the best experts. OMIC pays 25% less per claim than other carriers. As a result, OMIC has consistently maintained lower base rates than multispecialty carriers in the U.S.

Ophthalmic Mutual Insurance Company (OMIC)Phone: (800) 562-6642
655 Beach Street | San Francisco, CA 94109-1336Fax: (415) 771-7087
PO Box 880610 | San Francisco, CA 94188-0610Email: omic@omic.com