Officials haven’t explained yet how the medical records for up to 1800 people wound up in a dumpster in Houston. Somehow they were thrown out from an office of the Texas Health and Human Services Commission. Records apparently contained patient names, conditions, even bank account information. Here’s a full rundown on the story from Houston’s KPRC-TV.
While this is an extreme case, many companies have their own problems managing the medical records of their employees. Privacy and record security fall under the Health Insurance Portability and Accountability Act (HIPAA) and fines for HIPAA violations range from $100 to $50,000 per violation (or per record) with a cap of $1.5 million. Even though the law has real teeth, company handling of medical information can be pretty sloppy.
Roughly 70% of companies say they have experienced HIPAA security breaches, according to one survey. Here are a few of top problems companies experience:
- Employee Snooping – Someone is curious about a co-worker and the records are not secure, so he or she peeks.
- Loss of records or equipment holding electronics – Companies have been slow to adopt security protocols to protect the actual records or the electronic memory that holds records.
- Gossip – Yes, conversations are frequently overheard or information is shared outside the authorized channels.
- Texting test results – Sometimes the quickest way to send information is not the best way.
- Training – Few companies take the time to fully train the employees who are responsible for controlling HIPAA-sensitive information.
What I tend to find with companies is that the sheer logistics of managing employee records is hard for them to overcome. For example, let’s say company A has a number of regional offices and crews that travel to remote locations for maintenance jobs. The company has random substance abuse testing done on or near the job site. It soon becomes very difficult to keep up with the information flow and, when communications break down, exposure to HIPAA violations increases. Then it is a short step to a records management system that consists of cardboard boxes in offices scattered around the country.