Faulty Record Disposal by Business Associate Exposes Physician Practice

June 22, 2015 – In The News
Medical Practice Compliance Alert

Michael Kline and Elizabeth Litten were quoted in the Medical Practice Compliance Alert article “Faulty Record Disposal by Business Associate Exposes Physician Practice.” Full text can be found in the June 22, 2015, issue, but a synopsis is below.

A recent case in the Chicago area is demonstrative of how it is more important than ever for physicians to scrutinize how they, or any third party, stores and disposes of medical records, as illegal dumping could lead to government action.

The Illinois attorney general's office has sued FileFax Inc. for exposing thousands of patient medical records belonging to pulmonology group Suburban Lung Associates by dumping them in an unlocked garbage dumpster accessible to the public.

While Suburban Lung had a written contract with FileFax to keep the records secure, it's unclear whether the contract constituted a business associate agreement.  Suburban Lung is now incurring the cost of this breach financially, through credit monitoring and identity-theft protection services to affected patients, and publicly, through notifying HHS and the media pursuant to HIPAA.

"Even if the practice was perfect and a victim, it's still a hassle," said Elizabeth Litten.

It's also likely that, if any patients should file lawsuits against FileFax, Suburban Lung would also be named as an additional defendant.

"It's their records and their name.  They'll have to give attention to the litigation [even if the practice has done no wrong]," Michael Kline cautioned.

To protect against improper file disposal, it's advised that all practices treat record storage and disposal companies seriously, vet storage and disposal companies for compliance, have a written, signed business associate agreement, monitor compliance even after signing the initial agreement, make sure privacy practices and patient authorization forms mention any business associates and buy cyberinsurance in the event of a breach.