Slashdot Mirror

← Back to Stories (view on slashdot.org)

Recycled Medical Records Used As Scrap Paper At Elementary School

Posted by samzenpus on from the it's-a-purple-duck-with-shot-records dept.

Parents with students at Hale Elementary School in Minneapolis have found something interesting on the back of their children's pictures hanging on the fridge, detailed medical information. From the article: "Jennifer Kane was tidying her dining room when she found the drawing by her daughter, Keely, who goes to Hale Elementary School. On the back of the paper was the name, birth date and detailed medical information for a 24-year-old St. Paul woman named Paula White. 'The more I read it, the more alarmed I became about the amount of information I had about this person,' said Kane." The security lapse has been blamed on a paralegal donating the paper to the school.

21 of 119 comments (clear)

  1. First medical record post! by GameboyRMH · · Score: 5, Funny

    Look in the source code of this comment for detailed medical records!

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  2. HIPAA fail by akeeneye · · Score: 5, Interesting

    There's got to be a massive fine coming for this.

    --
    The man who dies rich dies disgraced. -- Andrew Carnegie
    1. Re:HIPAA fail by Alan+Shutko · · Score: 5, Informative

      Maybe not... The law firm is probably not a HIPAA covered agency. If the law firm got the records because their client was a covered entity, they might be in trouble under HIPAA. If they got the records because they were suing a covered entity, they probably aren't in trouble under HIPAA. They'd still be in trouble for disclosing private information, though.

      Here's a writeup.

    2. Re:HIPAA fail by Talderas · · Score: 5, Informative

      There is no maybe about it. If the law firm is representing a covered entity then they have to comply with HIPAA regulations. This has been the case since February 17, 2010.

      You are also right on if the lawyer was not representing a covered entity. If they had acquired the information while representing a client bringing a lawsuit against a hospital then they aren't covered by HIPAA.

      --
      "Lack of speed can be overcome. In the worst case by patience." --Znork
    3. Re:HIPAA fail by Talderas · · Score: 5, Insightful

      You aren't going to be able to sue a medical center and get all medical records for all patients. It's unlikely that you would get any records other than your own health records.

      What happened here is a pretty clear chain of events as to how it happened.

      Here's the facts. Many (exact number unknown) pieces of scrap paper contained medical information. All that information originated from Sawicki and Phelps. Ms. White had hired them after she was in a car accident.

      The last fact heavily suggests that these attorneys are personal injury attorneys and possibly medical malpractice attorneys. They are going to need to have the medical records for their clients in order to build a case. This leads me to believe that all medical information disclosed by them were all clients of the law firm seeking restitution for injuries sustained.

      It's really not even a loophole at all. It's a possible consequence of giving your medical information to a group not covered by HIPAA.

      The only difference between this and giving your medical information to the guy that gets your Starbucks in the morning is that at least lawyers have the bar association and other organizations which may keep them in line regarding private information. That and a lawyer without clients because he keeps giving out their private info would be a lawyer without clients.

      --
      "Lack of speed can be overcome. In the worst case by patience." --Znork
    4. Re:HIPAA fail by gstoddart · · Score: 4, Insightful

      Maybe not... The law firm is probably not a HIPAA covered agency.

      Really? That's somewhat appalling ... so the easiest way to sidestep these regulations is to give it to someone who isn't covered by them?

      I realize that's a gross simplification, but I should think that getting information covered under such a law would extend obligations to you. This information is covered under HIPAA ... you've been given this information ... therefore you have obligations under HIPAA.

      I mean, it's not like someone can give me Classified information and suddenly I'm free to do with it as I please.

      Sadly, I fear my version is probably more abstract and less likely to be that way in practice.

      --
      Lost at C:>. Found at C.
    5. Re:HIPAA fail by Talderas · · Score: 4, Informative

      I don't think you understand the purpose of HIPAA.

      HIPAA is designed to dictate both how covered entities that can collect your PHI have to handle your PHI but mostly it's to cover the instances under which a covered entity can share your PHI with third parties without your permission with all other cases requiring your permission.

      There is no way for a covered entity (medical provider) to sidestep HIPAA by giving it to some 3rd party without first obtaining your permission. If they could give it without permission then the entity receiving the PHI is going to be covered under HIPAA as well either as a covered entity or a business associate.

      --
      "Lack of speed can be overcome. In the worst case by patience." --Znork
    6. Re:HIPAA fail by hairyfeet · · Score: 4, Interesting

      Hell the scary part for me is how many are supposed to be protecting those records don't even follow best practices! My mom was a popular charge nurse at a local hospital so i got to know the IT guy and his crew pretty decently. So a few years back he goes 'Hey you wanna have a ton of machines to strip? Back up the truck" and sure enough he loads 30 or so nice boxes onto my truck. Well i figure I'll get home and find the drives gone but nope, all still there with ALL THE DATA. i thought it was nice he trusted me but more than a little scary too.

      I'm also buddies with the apt super who is also the super at a bunch of office complexes in the area. he called me awhile back and said 'If you want a ton of boxes for parts get over here before the garbage man gets 'em" and sure enough the local teleco he supers for had put a mound of nice late P4s and early duals out for scrap. again when I get home with 'em and check ALL the drives are there and the CC data wasn't even encrypted!

      I used to be amazed at the stories of some megacorp losing tons of data but frankly I just can't be surprised anymore, it seems like nobody bothers to do even basic due diligence. When I was working corp I got permission to give our old machines to a shelter for abused women but before a single box left my shop I had DOD 7 wiped the drive and installed a clean disc image for the shelter with their programs. the thought of just letting a box go straight from the floor to the back of someone's truck, even someone i knew, would have gave me a heart attack!

      --
      ACs don't waste your time replying, your posts are never seen by me.
    7. Re:HIPAA fail by Talderas · · Score: 3, Informative

      HIPAA only covers medical providers, health insurance plans, and medical clearinghouses (whatever those are). It is "extended" to cover business associates with which covered entities engage for work assuming the business associate has adequate protections to safeguard the PHI and they won't misuse it. The business associate label just allows a covered entity to share the PHI without seeking the patient's permission.

      A lawyer representing a hospital during a medical malpractice case would be considered a business associate. If a hospital wants to store backup tapes that contain PHI with Iron Mountain, then Iron Mountain is considered a business associate and must meet all the regulations of HIPAA.

      A lawyer representing a client who is suing a hospital for medical malpractice is not representing a covered entity and consequently not required to follow HIPAA regulations.

      If HIPAA was violated in this scenario then the hospital did so by releasing the records to the law firm but I highly doubt that the hospital released the records to the law firm without the patient's permission. The Bar Association or other entities may have something to say but a violation of HIPAA this is not.

      --
      "Lack of speed can be overcome. In the worst case by patience." --Znork
  3. I can see it now... by Moheeheeko · · Score: 4, Funny

    "Mommy, whats 'anal hemorrhoids'?"

    1. Re:I can see it now... by Anonymous Coward · · Score: 5, Funny

      "Mommy, whats 'anal hemorrhoids'?"

      A much better condition than 'oral hemorrhoids'.

  4. Re:HIPAA uber-violation by MyLongNickName · · Score: 5, Insightful

    I am sure the school carefully checked over the scrap paper being donated. Some teacher probably got a box full of paper, took a quick look and was just thankful her funding-starved school got some paper. Otherwise, she'd have had to buy some out of her own paycheck like many teachers do...

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
  5. Re:HIPAA uber-violation by sribe · · Score: 4, Informative

    Someone should be fired immediately. And was there no one at the school that noticed this?

    School teachers are not responsible for HIPAA compliance ;-)

  6. Re:Hip, Hip, Hipaa! by sribe · · Score: 3, Interesting

    Good going! Would HIPPA be violated, or lawyer client privileged be violated in this case?

    Probably both, ouch...

  7. Re:Hospitals are getting better at privacy by SJHillman · · Score: 4, Funny

    But now it's passed to 3rd parties AND 3rd graders!

  8. Makes Sense by Waffle+Iron · · Score: 4, Funny

    Three decades ago when I was in high school, they loaded our PDP-8's line printer with the the back sides of boring inventory reports from some manufacturing company.

    However, now that we don't manufacturer anything in the USA any more, and our entire economy is becoming nothing more than a mix of healthcare providers and consumers, they *have* to use old health records for printer paper in schools. There's nothing else to use.

  9. Re:Paralegal? by Stargoat · · Score: 4, Insightful

    I can tell you exactly what happened. There were two boxes next to the copier, one which was for the "special needs" children in school, and the other for materials to be shredded. Someone dumped some papers with PII into the "special need" children box when they should have gone into the shred box. Then, more documents without PII were dumped into the "special need" children box. When the school came calling for paper as they do once a month, the paralegal grabbed the "special need" children box and gave it to the school, giving the documents a cursory glance.

    More than likely, the arrogant lawyer who will just dump his papers wherever because he's too busy to actually pay attention is the culprit. The poor paralegal will get the shaft, the "special need" children box will get removed, and we will all move on feeling wiser - except the "special need" children, who no longer will get paper either with or without PII.

    --
    Hoist Number One and Number Six.
  10. Re:HIPAA uber-violation by supercrisp · · Score: 4, Interesting

    Yep. I'm a public university professor, and I regularly have to make copies on the back of once-used paper because we run out of money for paper. I've also been told I need to buy my own printer if I want access to a printer. I'm also being asked to pay for my own inter-library loan articles. Some of our faculty offices have holes in the wall large enough to stick your hand outside and check the weather. (I can't believe I'm not making that one up. But, yep, just looked out window to verify: Prof. Z's office has a fist-sized hole all the way thru the wall; the boards have just rotted away.) Money is getting tight. Unless it's for a new football stadium, which I can see from my window is coming along nicely. (Note to parents: DO NOT LET YOUR CHILDREN GET A GRADUATE DEGREE IN HISTORY, ENGLISH, GEOGRAPHY, OR ANY OF THE HUMANITIES!)

  11. Re:HIPAA uber-violation by orgelspieler · · Score: 4, Funny

    We've bought a few advanced projectors on mobile cats...

    At my school we had mobile projector cats, too. It was hard to keep those little monsters still through an entire lecture, though. Especially when the teacher pulled out the laser pointer.

  12. Re:hysteria about health record security by Jason+Levine · · Score: 3, Insightful

    Health records can contain personally identifying information (like SSN/DOB/address) which can be used for ID theft. (As an ID theft victim, trust me when I say this is *NOT* fun to clean up after.) Also, potentially embarrassing information could be revealed that was trusted to remain between doctor and patient. Working in IT in a medical organization, I can attest to the power HIPAA has over our actions. We need to keep it in mind with everything we do. People get fired for violations like looking up someone's records that they didn't have a job-related need to do. It's not a warning not to do it again with repeat offenders getting the boot. It's strike one and you're out. There will be an investigation and people will be fired.

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  13. Re:HIPAA uber-violation by gd2shoe · · Score: 3, Insightful

    Oh bother. This is a law firm which deals with private information as a business. It's what they do. Every peon (non-lawyer) should always assume that every document is private, and that disclosure could lose them their jobs. They should be told this, but they should also be able to figure it out on their own.

    Now there are scenarios (ex:asking permission) where someone else would be at fault. In the general case, though, the paralegal is squarely at fault. I don't want to hire a lawyer who employs that paralegal... thus one can hardly blame the law firm for not wanting to employ him/her any further.

    --
    I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.