HospitalInspections.org

Based upon hospital policy on disposal of medical records, Health Insurance Portability and Accountability Act (HIPAA) document, and interview, it was determined the medical records were not protected from unauthorized use, as they are buried and not destroyed.

Findings include:

The hospital's policy "Destruction of Medical Records" #6108 revealed:

"Pursuant to the portion of the policy regarding record destruction, it is the policy of the department to assure that all records are destroyed completely. Complete destruction is performed by Material Management.
Procedure: After the collection of the documents determined to be disposed, the documents will be dumped into a secured/locked covered dumpster to the Materials Management loading dock. These documents will then be transported to the county landfill and disposed of through proper measures of disposal.
-Vista Recycling is notified by a representative of Materials Management to arrange destruction of medical records.
-County will dig a hole approximately 20 feet deep in a designated area.
-Documents will be placed in the hole and covered with water to aid in decomposition.
-County will cover hole with dirt.
-Two witnesses will verify all documents have been placed in the hole and covered appropriately."

The Risk Manager was interviewed on 12/21/11, regarding the disposal of medical records. He stated they are scanning medical records into their electronic system and then the paper medical records are placed in bags in a locked dumpster. A member of the hospital's Materials Management department accompanies the Vista Recycling to the county landfill, where a hole is dug and the records, which are in plastic bags, are then buried. When asked if the records are in plastic bags how does the water aid in decomposition, the Risk Manager stated if they were not in plastic bags the records could possibly blow away in the process of being dumped.

The Risk Manager provided a document from the U.S. Department of Health and Human Services - Office for Civil Rights titled "The HIPAA (Health Insurance Portability and Accountability Act) Privacy and Security Rules Frequently Asked Questions about the Disposal of Protected Health Information (PHI)." This document was also found on the Internet. The response to the question re the HIPAA requirements when disposing PHI, included the following:

"Thus, covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method...In general, examples of proper disposal methods may include, but are not limited to:
-For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed."

Another question re hiring a business associate to dispose of protected health information had the response: "Yes, a covered entity may, but is not required to, hire a business associate to appropriately dispose of protected health information (PHI) on its behalf. In doing so, the covered entity must enter into a contract or other agreement with the business associate that requires the business associate, among other things, to appropriately safeguard the PHI through disposal."

There is no contract in place between the hospital and Vista Recycling Company. There was no documentation that two witnesses verified the records were buried. Although the paper records are buried they are not destroyed or rendered unreadable. The landfill is the county landfill and access is not restricted.