BLOG

In the past, we’ve stressed the importance of our document disposal services for those in the medical community. Just this summer, we explained our reasoning. The Personal Health Information Protection Act (PHIPA) has set particular standards for the way medical information is collected, accessed, and disposed of by healthcare workers. Today, we’d like to explain what happens should the PHIPA and similar laws be broken. Failure to follow these requirements can risk more than accidental exposure of personal medical data. It can have substantial, financial consequences for those in the healthcare profession.

In Canada, personal information collected by healthcare professionals is protected. This includes contact information, family medical history, current and past physical and mental health records, prescriptions, and test results. When the time comes to dispose of this data, those services that collected and kept record of it are bound by law to destroy this information. Though both PHIPA and the US Health Insurance Portability and Accountability Act (HIPAA) clearly state this stipulation, there are those in the medical community that think they can cut corners and violate the law.

Skirting the law commonly manifests as disposing Personal Health Information (PHI) just like any old trash. Time and time again, medical and dental practices place old records in public garbage bins and landfills, without taking the time to redact or destroy any information. Without thinking of the security of their clients, they consider it the easier and cheaper option to commercial shredding. What these firms fail to consider is the criminal penalties that await them for improper disposal.

In 2013, Joseph and Louise Gagnon of the Goldthwait Associates learnt of the consequences for improper disposal the hard way. After releasing the medical and billing records of approximately 67,000 patients from four separate pathology groups, the Massachusetts Attorney General fined the collective $140,000.

Physical, or paper, records of PHI aren’t the only data safeguarded by law. Both PHIPA and HIPAA protects digital information collected and kept online or on internal databases. In fact, a digital data breach that occurred in 2014 makes the previous Goldthwait Associates infraction and penalty seem trivial by comparison. Last year, the Community Health Systems fell victim to two separate malware cyberattacks, which compromised 4.5 million of their health care records. As one of the largest health organizations in America, the CHS had to alert patients in 29 states across the country and reach a $4.8 million settlement.

Had only the appropriate precautions been taken, these medical organizations could have avoided steep penalties and devastating reputational consequences. As the letter of the law states, PHI should be completely and utterly destroyed before it leaves any medical facility, and the appropriate in-person and digital security measures should be adopted to ensure stored records are safe too.

We may not be able to help you implement a comprehensive security program. But as a NAID certified commercial document disposal service, we can help you destroy any PHI your firm collects according to the law. Our mobile shredding service can guarantee the complete destruction of both physical and digital materials. When our team of bonded disposal experts deliver you our “Guarantee of Destruction”, you know your practice is taking the appropriate measures to properly destroy your records. To ensure you don’t face legal action, book our services without delay. We’ll destroy your PHI and keep you on the right side of the law.