October 6, 2022

Volume XII, Number 279

Advertisement

October 05, 2022

Subscribe to Latest Legal News and Analysis

October 04, 2022

Subscribe to Latest Legal News and Analysis

October 03, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

Privacy Tip #324 – What Happens to My Health Information When a Hospital Goes Out of Business?

In general, both state and federal laws apply to health information or protected health information that is in the possession of hospitals, health systems, and medical providers.

HIPAA requires that covered entities protect the confidentiality and integrity of protected health information in their possession and secure it from unauthorized access, use, or disclosure. In addition, state laws may apply to protect the confidentiality of health information depending on the state in which you reside and may require health care providers to properly dispose of health information when the health care provider is no longer in business.

When a health care entity goes out of business, it is supposed to follow the laws that are applicable to it when disposing of the health information in its possession. Unfortunately for patients of Eastern Ozarks Regional Medical System (Eastern Ozarks), it appears from a complaint filed against it by the Arkansas Attorney General (AG) that it did not properly dispose of medical records when it closed its doors in 2004.

According to the AG’s complaint, the system shuttered its doors in 2004 and the property was transferred to the state because of tax deficiencies. Patients’ files were left behind in the facility and storage buildings, the facility was vandalized, and the vandals had access to and examined the files in order to steal sensitive personal and health information. AG Leslie Rutledge conducted a site examination and estimates that there “could be several thousands of files that were left behind in the unsecured buildings. These files contained social security numbers, driver’s license numbers, account information, medical information and biometric data.”

Attorney General Rutledge alleges that Eastern Ozarks violated the Arkansas Personal Information Protection Act and the Arkansas Deceptive Trade Practices Act. Civil penalties of up to $10,000 for each violation of those laws are applicable.

State Attorneys General usually have jurisdiction over consumer protection. According to Attorney General Rutledge, “Consumers must be able to trust their healthcare providers and employers to protect their personal information.”

Copyright © 2022 Robinson & Cole LLP. All rights reserved.National Law Review, Volume XII, Number 83
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Linn F. Freedman, Robinson Cole Law Firm, Cybersecurity and Litigation Law Attorney, Providence
Partner

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She provides guidance on data privacy and cybersecurity compliance to a full range of public and private clients across all industries, such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine, and charitable organizations. Linn is a member of the firm's Business Litigation Group and chairs its Data Privacy + Cybersecurity Team. She is also a member of the Financial Services Cyber-Compliance Team (CyFi ...

401-709-3353
Advertisement
Advertisement
Advertisement