Recycled Medical Records Used As Scrap Paper At Elementary School

Parents with students at Hale Elementary School in Minneapolis have found something interesting on the back of their children's pictures hanging on the fridge, detailed medical information. From the article: "Jennifer Kane was tidying her dining room when she found the drawing by her daughter, Keely, who goes to Hale Elementary School. On the back of the paper was the name, birth date and detailed medical information for a 24-year-old St. Paul woman named Paula White. 'The more I read it, the more alarmed I became about the amount of information I had about this person,' said Kane." The security lapse has been blamed on a paralegal donating the paper to the school.

Re:HIPAA uber-violation

[sribe]

Someone should be fired immediately. And was there no one at the school that noticed this?

School teachers are not responsible for HIPAA compliance ;-)

Re:HIPAA fail

[Alan+Shutko]

Maybe not... The law firm is probably not a HIPAA covered agency. If the law firm got the records because their client was a covered entity, they might be in trouble under HIPAA. If they got the records because they were suing a covered entity, they probably aren't in trouble under HIPAA. They'd still be in trouble for disclosing private information, though.

Here's a writeup.

Re:HIPAA fail

[Talderas]

There is no maybe about it. If the law firm is representing a covered entity then they have to comply with HIPAA regulations. This has been the case since February 17, 2010.

You are also right on if the lawyer was not representing a covered entity. If they had acquired the information while representing a client bringing a lawsuit against a hospital then they aren't covered by HIPAA.

Re:HIPAA fail

[Talderas]

I don't think you understand the purpose of HIPAA.

HIPAA is designed to dictate both how covered entities that can collect your PHI have to handle your PHI but mostly it's to cover the instances under which a covered entity can share your PHI with third parties without your permission with all other cases requiring your permission.

There is no way for a covered entity (medical provider) to sidestep HIPAA by giving it to some 3rd party without first obtaining your permission. If they could give it without permission then the entity receiving the PHI is going to be covered under HIPAA as well either as a covered entity or a business associate.

Re:HIPAA fail

[Talderas]

HIPAA only covers medical providers, health insurance plans, and medical clearinghouses (whatever those are). It is "extended" to cover business associates with which covered entities engage for work assuming the business associate has adequate protections to safeguard the PHI and they won't misuse it. The business associate label just allows a covered entity to share the PHI without seeking the patient's permission.

A lawyer representing a hospital during a medical malpractice case would be considered a business associate. If a hospital wants to store backup tapes that contain PHI with Iron Mountain, then Iron Mountain is considered a business associate and must meet all the regulations of HIPAA.

A lawyer representing a client who is suing a hospital for medical malpractice is not representing a covered entity and consequently not required to follow HIPAA regulations.

If HIPAA was violated in this scenario then the hospital did so by releasing the records to the law firm but I highly doubt that the hospital released the records to the law firm without the patient's permission. The Bar Association or other entities may have something to say but a violation of HIPAA this is not.