If you haven't yet caught up with the new HIPAA Omnibus Rule
and its consequences for those businesses who are not themselves
healthcare providers, but are service providers to healthcare
entities (and even further downstream than that....), you can take
listen to our recent webinar highlighting the most important
changes and issues.
A recent settlement
released by the Massachusetts Attorney General calls attention
to the fact that improper disposal of medical records and personal
information can cost you. The owners of
a medical billing practice and four pathology groups, whose patient
information was all improperly disposed, will collectively pay
$140,000 to settle the claims.
In July 2010 a Boston Globe photographer discovered a knoll of
medical records at the Georgetown Transfer Station.
Goldthwait Associates, a medical billing practice, tossed the
records of more than 67,000 Massachusetts residents at the public
dump when they closed shop in May 2010. The records included
names, Social Security numbers, health insurance information and
The AG alleged that the owners of Goldthwait Associates
improperly disposed of medical records and in doing so violated the
Massachusetts Consumer Protection Act, the
Massachusetts Data and Disposal and Destruction Act, and the
Massachusetts Security Breach Act (including 201 CMR
17.00). The pathology groups were charged with
"failing to have appropriate safeguards in place to protect
the personal information they provided to Goldthwait
Associates" and not taking reasonable steps to retain a
service provider that had appropriate security measures in place to
protect personal information (PI) and protected health information
(PHI). The groups were alleged to be in violations of the
Massachusetts Security Breach Act and
HIPAA Privacy and Security Rules.
The complaint outlines steps that the groups did not take during
their relationship with Goldthwait, which can serve as a to-do list
when onboarding new vendors:
inquire about the vendor's methods for ensuring
adequate safeguards for protecting PI and PHI;
inquire about the vendor's methods for disposing of PI
inspect the vendor's facilities;
request a copy of the vendor's policies and procedures
or contracts that detail the vendor's method for disposing of
PI and PHI;
verify that employees of the vendor who come into contact
with PI or PHI are adequately trained regarding the appropriate
methods for handling or disposing of such information.
The settlement agreement requires each pathology group to vet
business associates, ensuring they have a written information
security plan and the practices described are sufficient to comply
with the groups' obligations to protect personal information
and PHI. The groups must also execute business associate
agreements before disclosing any PI or PHI to service
providers. AG Coakley said, "Personal health information
must be safeguarded as it passes from patients to doctors to
medical billers and third-party contractors."
Gagnon, the owner of Goldthwait Associates, told news
sources that some of the groups were his clients for over 25
years, which may explain why they failed to have formal agreements
in place. This settlement underscores the importance of
reviewing the practices of your vendors (even if your best friend
owns the company) and signing agreements with them that cover the
protection of PI and PHI. If you handle PHI you should also
take a look at the
data security tips for health care organizations for helpful
ways to update your data security practices.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
I strongly urge every covered entity and business associate faced with a Business Associate Agreement that includes indemnification provisions to read Michael Kline’s "List of Considerations" before signing.