Privacy Tip #324 – What Happens to My Health Information When a Hospital Goes Out of Business?

Linn Freedman
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

In general, both state and federal laws apply to health information or protected health information that is in the possession of hospitals, health systems, and medical providers.

HIPAA requires that covered entities protect the confidentiality and integrity of protected health information in their possession and secure it from unauthorized access, use, or disclosure. In addition, state laws may apply to protect the confidentiality of health information depending on the state in which you reside and may require health care providers to properly dispose of health information when the health care provider is no longer in business.

When a health care entity goes out of business, it is supposed to follow the laws that are applicable to it when disposing of the health information in its possession. Unfortunately for patients of Eastern Ozarks Regional Medical System (Eastern Ozarks), it appears from a complaint filed against it by the Arkansas Attorney General (AG) that it did not properly dispose of medical records when it closed its doors in 2004.

According to the AG’s complaint, the system shuttered its doors in 2004 and the property was transferred to the state because of tax deficiencies. Patients’ files were left behind in the facility and storage buildings, the facility was vandalized, and the vandals had access to and examined the files in order to steal sensitive personal and health information. AG Leslie Rutledge conducted a site examination and estimates that there “could be several thousands of files that were left behind in the unsecured buildings. These files contained social security numbers, driver’s license numbers, account information, medical information and biometric data.”

Attorney General Rutledge alleges that Eastern Ozarks violated the Arkansas Personal Information Protection Act and the Arkansas Deceptive Trade Practices Act. Civil penalties of up to $10,000 for each violation of those laws are applicable.

State Attorneys General usually have jurisdiction over consumer protection. According to Attorney General Rutledge, “Consumers must be able to trust their healthcare providers and employers to protect their personal information.”

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide