Privacy Tip #324 – What Happens to My Health Information When a Hospital Goes Out of Business?
In general, both state and federal laws apply to health information or protected health information that is in the possession of hospitals, health systems, and medical providers.
HIPAA requires that covered entities protect the confidentiality and integrity of protected health information in their possession and secure it from unauthorized access, use, or disclosure. In addition, state laws may apply to protect the confidentiality of health information depending on the state in which you reside and may require health care providers to properly dispose of health information when the health care provider is no longer in business.
When a health care entity goes out of business, it is supposed to follow the laws that are applicable to it when disposing of the health information in its possession. Unfortunately for patients of Eastern Ozarks Regional Medical System (Eastern Ozarks), it appears from a complaint filed against it by the Arkansas Attorney General (AG) that it did not properly dispose of medical records when it closed its doors in 2004.
According to the AG’s complaint, the system shuttered its doors in 2004 and the property was transferred to the state because of tax deficiencies. Patients’ files were left behind in the facility and storage buildings, the facility was vandalized, and the vandals had access to and examined the files in order to steal sensitive personal and health information. AG Leslie Rutledge conducted a site examination and estimates that there “could be several thousands of files that were left behind in the unsecured buildings. These files contained social security numbers, driver’s license numbers, account information, medical information and biometric data.”
Attorney General Rutledge alleges that Eastern Ozarks violated the Arkansas Personal Information Protection Act and the Arkansas Deceptive Trade Practices Act. Civil penalties of up to $10,000 for each violation of those laws are applicable.
State Attorneys General usually have jurisdiction over consumer protection. According to Attorney General Rutledge, “Consumers must be able to trust their healthcare providers and employers to protect their personal information.”