A Gastonia man found a box of medical records on his front porch that contained Social Security numbers, birthdays and other personal information of dozens of people.
He didn’t know whether to shred the papers or mail them back, so he contacted Action 9 to ask what he should do.
Blake Drumm said he was stunned when he opened a box that he thought was for his daughter’s upcoming birthday. He said it contained page after page of patients’ medical records, including names, addresses and diagnoses.
“That shouldn’t be public, plain and simple, so I just wanted to get to the bottom of it. Make sure that we’re doing the right thing,” Drumm told Action 9′s Jason Stoogenke.
The label on the box indicated that it was from Concentra, a company that runs medical offices specifically for people hurt on the job. The box was labeled to be sent to the workers’ compensation subsidiary Workpartners at the University of Pittsburgh Medical Center (UPMC) in Pennsylvania. It also had another label with no name but Drumm’s address in Gastonia.
“It made me sick … we shouldn’t be seeing that,” he said.
Stoogenke immediately started contacting some of the patients to recommend they take steps to protect their personal information and money, like checking their bank accounts and freezing their credit.
He also got in touch with Concentra and spent the past three days coordinating the effort to get the records into the right hands.
It’s still not clear how the box ended up being delivered to Drumm. Stoogenke emailed Concentra, UPMC, Workpartners and the U.S. Postal Service, which delivered the package. The USPS has asked for more information so it can look into it.
It’s also not clear if any of the other agencies have alerted the patients to let them know their information went somewhere it shouldn’t have.
Stoogenke suggests that if you somehow end up with someone else’s personal records, get in touch with the sender, turn the records over to the police to sort out or do what Drumm did and ask for help.
10 QUESTIONS AND ANSWERS ABOUT PATIENT PRIVACY LAW (HIPAA)
1. HIPAA applies to providers but does it also apply to anyone who touches medical records, such as insurance companies or others?
No. The entities that must follow HIPAA are defined as “covered entities.” Covered entities include health care providers, health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid. “Business associates” of covered entities must also follow HIPAA.
2. Can you mail medical records?
Yes.
3. If you mail medical records, do you have to take any special precautions such as using a special courier or return receipt service?
No.
4. If medical records fall into the wrong hands, is the sender required to notify the patients impacted?
It depends. Covered entities and business associates must notify patients and the U.S. Department of Health and Human Services “in the event of an impermissible use or disclosure” of personal health information, unless there’s “a low probability of compromise,” according to the American Medical Association.
5. What is the civil penalty for violating HIPAA?
“Civil penalties for HIPAA violations start at $100 per violation by any individual who violates HIPAA Rules. The fine can rise to $25,000 if there have been multiple violations of the same type. These penalties are applied when the individual was aware that HIPAA Rules were being violated or should have been aware had due diligence been exercised. If there was no willful neglect of HIPAA Rules and the violation was corrected within 30 days from when the employee knew that HIPAA Rules had been violated, civil penalties will not apply,” according to HIPAA Journal.
6. What is the criminal penalty for violating HIPAA?
“The criminal penalties for HIPAA violations can be severe. The minimum fine for willful violations of HIPAA Rules is $50,000. The maximum criminal penalty for a HIPAA violation by an individual is $250,000. Restitution may also need to be paid to the victims. In addition to the financial penalty, a jail term is likely for a criminal violation of HIPAA Rules,” according to HIPAA Journal. “Criminal violations that occur as a result of negligence can result in a prison term of up to 1 year. Obtaining protected health information under false pretenses carries a maximum prison term of 5 years. Knowingly violating HIPAA Rules with malicious intent or for personal gain can result in a prison term of up to 10 years in jail. There is also a mandatory 2-year jail term for aggravated identity theft.”
7. If you aren’t a covered entity and accidentally receive medical records, does the law specify what you have to do with them (e.g., return them or shred them)?
No. It’s up to you. Just don’t disclose the personal information further.
8. Could you contact the patients yourself to warn them?
Yes.
9. HIPAA is federal. Are there state patient privacy laws?
Yes. North Carolina has statutes that make medical records private and privileged.
10. If you suspect wrongdoing, who do you tell?
You can file a complaint here.
