Properly delete electronic medical records, or face fines

Could a complete stranger receive your echocardiogram results in the mail?

Could a homeless guy in Boston end up with your labs in his shopping cart?

Is it possible that your medical records were sold on eBay?

Yes. Yes. And yes.

On February 24, 2011, Massachusetts General Hospital  was fined $1 million dollars by the federal government when an employee inadvertently left a stack of papers on the subway. These documents contained the protected health information of 192 patients, many with HIV/AIDS. Where did these medical records go? Nobody knows. Maybe a homeless man wandered off with the papers in his napsack.

Recently, while watching my nephew shoot hoops at the Y, I read the American Medical News headline: Carelessness behind many health data breaches. According to the article “practices and hospitals are more likely to experience a breach because of an employee losing a thumb drive, mobile device or stack of paper files than because they were targeted for a malicious hacking.”

Doesn’t surprise me. Every few years I get a letter from a health insurance company notifying me that a laptop was stolen with my personal information including my social security number. I’m offered a year of fraud protection; then I’m on my own. I’m assured additional protective measures have been instituted due to the unfortunate and isolated event.

When I continue to read about stolen laptops  from hospitals, some right out of  employees’ cars, I wonder how many of these laptops have been sold on eBay.

As I leave the YMCA, I stop by my mom’s house on the way home. She’s in the kitchen reviewing the records she just received in the mail from her cardiologist. I ask if she found “anything interesting.” She grins and proceeds to show me the echocardiogram results from some lady named Linda. Mom wonders if her records inadvertently ended up at Linda’s house.

The good news. Though the subway documents were never recovered, there’s no evidence that anyone was harmed. So far my monthly credit alerts indicate nobody has stolen my identity. And in a few days I’ll personally deliver Linda’s records back to the cardiology department at my local hospital. Linda will probably never know what happened. But if Linda does file a complaint then here’s the bad news: The Health Information Technology for Clinical Health Act of 2009 increased the possible fine to $1.5 million for every patient data breach.

I can now understand why my mom–a retired psychiatrist–shredded boxes of patient psychiatric files in her living room before burying the stuff in the backyard. Even I routinely shred confidential information for my garden. Earthworms love old medical records.

But now I have electronic records. Since upgrading my laptop to a MacBook Pro, I wonder how to discard  medical files on my previous two laptops.   I’ve been told by computer geeks that it’s impossible to reliabiy eradicate data. The ultimate method for hard drive disposal recommended by the Department of Defense is complete physical destruction after overwriting and degaussing.

So to protect my patients I’ll be heading out to Home Depot for my protective gear and sledgehammer for a weekend of pounding hard drives before smelting or pulverizing them.

I may be going overboard. I’m not sure.

But I’m thinking I’d rather buy new $89 hard drives before selling my old laptops on eBay than get slapped with a 1.5 million dollar per-patient penalty.

Pamela Wible pioneered the community-designed ideal medical clinic and blogs at Ideal Medical Care.

Submit a guest post and be heard on social media’s leading physician voice.

Comments are moderated before they are published. Please read the comment policy.

  • Anonymous

    To Serve Man – It’s a Cookbook!

  • http://pulse.yahoo.com/_2LRZNHDZS6DU45WQ567LPQ7CMI ninguem

    Not that I’d advocate being sloppy with medical records. Still……….

    If your medical record suddenly ended up on the front page of the New York Times, how many of us would seriously be hurt by that? Yep, now you know, I have hypertension and hemorrhoids, people can’t call me a perfect A-hole anymore. I daresay the great majority of people, it would be nothing more than a chuckle, if even that.

    As opposed to someone getting hold of your FINANCIAL data; social security, credit card number, bank account, I bet someone could do lots of damage with that.

    Physicians have taken oaths of confidentiality that go back to Hippocrates, and existed long before HIPAA, in AMA rules, State Board regulations, etc. Yet the privacy rules dump down on the group with the longest tradition of maintaining confidentiality.

    They tell Dr. Wible to take the laptop and go at it with a flamethrower, lest somebody find out that 90-year-old Mrs Smythington in the nursing home has dementia.

    Then some clown in hospital administration works on the cafeteria budget, downloads the data for the cafeteria financials………and the rest of the hospital as well, and every patient in it, for the last five years. Then Bozo leaves it behind at a Starbucks. Just plain idiotic carelessness, and it happens time and time again, city after city, all over the country, and the vast majority of the time, it’s administrative types.

    Clinical doctors treat patients one at a time. We can only screw up retail.

    To screw up wholesale requires an administrator.

    And that doesn’t even count the deliberate sale of your information. Prescribe Prozac to your dog. Pick up the prescription at the pharmacy. See how long it takes for Fido to get junk mail for Lexapro or a stay at Serenity Manor.

    • http://www.twitter.com/alicearobertson Alice Robertson

      But, Ninguem….if all you say is true…why do you post anonymously? I can pay for anyone’s financial records, cell phone records, etc., but my daughter was mentioned anonymously on an employee only bulletin board (the post was removed quickly), and the doctor who messed up (again anonymously in the post) filed to have my relative fired….I had to say I did not mind….but the brouhaha was pretty fascinating….the Chair of the negligent ENT lied for him…but wanted my relative fired….hmmm….considering the negligent doctor let cancer spread in my daughter’s lymphs….that was covered for fear of a lawsuit while a witchhunt unfolded over an anonymous child and doctor post…..it does get ridiculous….with management harming instead of healing one can understand the demands of patients when doctors act like this…you are ultra regulated. I tend to think it was too far reaching.

    • http://twitter.com/PamelaWibleMD PamelaWibleMD

      @yahoo-2LRZNHDZS6DU45WQ567LPQ7CMI:disqus  - Love what you wrote. Still have no idea who you really are. . . .:)  Pamela

      • http://pulse.yahoo.com/_2LRZNHDZS6DU45WQ567LPQ7CMI ninguem

        “there’s more privacy for your video rental records than your medical records”

        (remember video rentals?)

        Goes back to the Bork hearings, when he was a nominee for the Supreme Court. Political operatives opposed to Bork looked for any dirt they could. They decided to search his video rentals, hoping to find porno. They discovered a few things.

        1. Robert Bork had boring video tastes. No porno. Nothing even close.

        2. It was really, really easy to find anyone’s video records.

        3. If we can do it to Bork, they can do it to Ted Kennedy……who likely had very interesting video rental tastes.

        So in a show of bipartisan unity rarely seen in American politics, both sides joined hands and passed some of the strictest privacy laws concerning video rental records.

  • http://www.twitter.com/alicearobertson Alice Robertson

    A doctor I actually admire and respect placed a falsehood in my daughter’s medical EMR’s….he tried and tried to remove it…even filled out the required forms asking IT to delete that portion telling me, “They have no reason being there.”. Na da….Chair flushed the notes…and they are coauthors….the doctor quit the Clinic….he tried….chair of the ENT Dept. refused to make the notes honest. Just a heads up…if a big hospital screws up….there will be a cover up….your EMR’s will remain falsified….those notes serve the hospital better than you. And trying to obtain copies of those EMR’s
    will take patience and dealing with Atilla the Hun on the phone….I
    believe it is purposeful…an effort to intimidate. And, yes, you can
    receive the records of someone else….half of what you
    order….double bills at $2 a page and if you refuse to pay double….a
    collector….etc.

    A game of cat and mouse….that I lost because the notes remain false.

    • http://twitter.com/PamelaWibleMD PamelaWibleMD

      Thanks for sharing Alice. I’m sorry you had to go through all of this.

  • http://twitter.com/PamelaWibleMD PamelaWibleMD

    Recently I was told by a patient that photocopy machines have hard drives so all that financial and medical information is stored on Kinkos and in every medical clinic across the country. Buy a used photocopy machine and find a plethora of personal information. Scary stuff as reported here: CBS Report: Copy Machines Retain Copies On Their Hard Drives | Crooks and Liars:

    (CBS)Nearly every digital copier built since 2002 contains a hard drive – like the one on your personal computer - storing an image of every document copied, scanned, or emailed by the machine.In the process, it’s turned an office staple into a digital time-bomb packed with highly-personal or sensitive data.If you’re in the identity theft business it seems this would be a pot of gold.”The type of information we see on these machines with the social security numbers, birth certificates, bank records, income tax forms,” John Juntunen said, “that information would be very valuable.”Juntunen’s Sacramento-based company Digital Copier Security developed software called “INFOSWEEP” that can scrub all the data on hard drives. He’s been trying to warn people about the potential risk – with no luck.”Nobody wants to step up and say, ‘we see the problem, and we need to solve it,’” Juntunen said.This past February, CBS News went with Juntunen to a warehouse in New Jersey, one of 25 across the country, to see how hard it would be to buy a used copier loaded with documents. It turns out … it’s pretty easy.[...] We didn’t even have to wait for the first one to warm up. One of the copiers had documents still on the copier glass, from the Buffalo, N.Y., Police Sex Crimes Division.It took Juntunen just 30 minutes to pull the hard drives out of the copiers. Then, using a forensic software program available for free on the Internet, he ran a scan – downloading tens of thousands of documents in less than 12 hours.The results were stunning: from the sex crimes unit there were detailed domestic violence complaints and a list of wanted sex offenders. On a second machine from the Buffalo Police Narcotics Unit we found a list of targets in a major drug raid.The third machine, from a New York construction company, spit out design plans for a building near Ground Zero in Manhattan; 95 pages of pay stubs with names, addresses and social security numbers; and $40,000 in copied checks.But it wasn’t until hitting “print” on the fourth machine – from Affinity Health Plan, a New York insurance company, that we obtained the most disturbing documents: 300 pages of individual medical records. They included everything from drug prescriptions, to blood test results, to a cancer diagnosis. A potentially serious breach of federal privacy law.

  • http://onhealthtech.blogspot.com Margalit Gur-Arie

    ninguem: “If your medical record suddenly ended up on the front page of the New
    York Times, how many of us would seriously be hurt by that?”

    Not many, but some will be hurt badly.
    If we outlawed the Eckankar religion, how many would be hurt by that?

    The point is not that only a few will be hurt by this or that. The point is that people have a right to privacy. All people.

    • http://pulse.yahoo.com/_2LRZNHDZS6DU45WQ567LPQ7CMI ninguem

      The point is that people have a right to privacy. All people.

      Gee…….no kidding. That was rhetorical you know. No one intends to put medical data on the NY Times. (Actually, given their dropping readership, it might be a secure place for medical data.)

  • Anonymous

    Wow.  Thanks for the warning.  I will have to check with my MD to see if they have a procedure in place.  Doubtful, seeing as how they only recently went to electronic record keeping.

    • http://pulse.yahoo.com/_2LRZNHDZS6DU45WQ567LPQ7CMI ninguem

      Fine to do, but the real problem is the DELIBERATE release of your medical information by insurance companies and pharmacy chains.