Slashdot Mirror

← Back to Stories (view on slashdot.org)

Recycled Medical Records Used As Scrap Paper At Elementary School

Posted by samzenpus on from the it's-a-purple-duck-with-shot-records dept.

Parents with students at Hale Elementary School in Minneapolis have found something interesting on the back of their children's pictures hanging on the fridge, detailed medical information. From the article: "Jennifer Kane was tidying her dining room when she found the drawing by her daughter, Keely, who goes to Hale Elementary School. On the back of the paper was the name, birth date and detailed medical information for a 24-year-old St. Paul woman named Paula White. 'The more I read it, the more alarmed I became about the amount of information I had about this person,' said Kane." The security lapse has been blamed on a paralegal donating the paper to the school.

4 of 119 comments (clear)

  1. Re:HIPAA uber-violation by sribe · · Score: 4, Informative

    Someone should be fired immediately. And was there no one at the school that noticed this?

    School teachers are not responsible for HIPAA compliance ;-)

  2. Re:HIPAA fail by Alan+Shutko · · Score: 5, Informative

    Maybe not... The law firm is probably not a HIPAA covered agency. If the law firm got the records because their client was a covered entity, they might be in trouble under HIPAA. If they got the records because they were suing a covered entity, they probably aren't in trouble under HIPAA. They'd still be in trouble for disclosing private information, though.

    Here's a writeup.

  3. Re:HIPAA fail by Talderas · · Score: 5, Informative

    There is no maybe about it. If the law firm is representing a covered entity then they have to comply with HIPAA regulations. This has been the case since February 17, 2010.

    You are also right on if the lawyer was not representing a covered entity. If they had acquired the information while representing a client bringing a lawsuit against a hospital then they aren't covered by HIPAA.

    --
    "Lack of speed can be overcome. In the worst case by patience." --Znork
  4. Re:HIPAA fail by Talderas · · Score: 4, Informative

    I don't think you understand the purpose of HIPAA.

    HIPAA is designed to dictate both how covered entities that can collect your PHI have to handle your PHI but mostly it's to cover the instances under which a covered entity can share your PHI with third parties without your permission with all other cases requiring your permission.

    There is no way for a covered entity (medical provider) to sidestep HIPAA by giving it to some 3rd party without first obtaining your permission. If they could give it without permission then the entity receiving the PHI is going to be covered under HIPAA as well either as a covered entity or a business associate.

    --
    "Lack of speed can be overcome. In the worst case by patience." --Znork