Patients who go to the doctor’s office looking for relief from a chronic condition or a cure for a sudden ailment typically turn over a trove of personal medical and financial details before they even get into the exam room. And when they depart, they leave all that information with the physician.
Medical professionals and facilities are required by the Health Insurance Portability and Accountability Act to protect the confidentiality of patient records. Recently, stepped-up enforcement of the federal regulation has brought hefty fines for violations by health care providers, but for files that are abandoned, left unsecured and potentially accessible to non-medical personnel, state law is providing the protection.
Indiana already had a statute covering abandoned medical records, but Senate Enrolled Act 549, which sailed through the Statehouse during the 2017 session, updated the law. The new provisions expanded the definition of “abandoned,” added language requiring database owners to safeguard the medical information stored in their systems, and gave the Indiana Attorney General the power to recover the costs of protecting the discarded health records.
Attorneys view the new law as a response to the increasing use of electronic medical records. Paper files are becoming obsolete as doctors, nurses and medical technicians put patient history into computers and tablets. Keeping these files updated, accessible and safe is very complex and very costly.
Krieg DeVault LLP partner Stephanie Eckerle and senior associate Meghan Linvill McNab said the new law is addressing the intricacies of securing electronic medical records and reminding physicians they need to keep careful watch over their files by, among other things, implementing HIPAA-compliant security practices. The update to the state statute is not necessarily an indication that health care providers are neglecting their responsibilities.
“I don’t think we’re seeing a laxness in confidentiality,” Eckerle said. “I think most health care providers are trying to comply with the regulations.”
Still, when medical practices become defunct, all the records are left behind. The Indiana Attorney General’s website includes a link that lists the physicians and facilities that abandoned their medical files and provides instructions for how patients can retrieve their information. Currently, the list has 18 entries.
News stories in the past couple of years also have recounted medical records being found in the trash. In the summer of 2015, an employee of a pizza parlor in northwest Indiana peered into a dumpster behind the restaurant and found equipment and patient files from medical testing facility My Fast Lab. The documents included lab results as well as photocopies of Social Security cards, driver’s licenses and insurance policy numbers.
That’s the most valuable kind of information, said South Bend attorney Laura Seng, chair of Barnes & Thornburg LLP’s national health care department. Thieves do not necessarily care about a patient’s kidney stone, but with bank account numbers and a home address, they can steal the individual’s identity. Also, with the insurance information, they could get their own medical treatment and then file the claim on the other person’s health plan.
SEA 549 was inspired by paper medical records being discovered in a city park.
Indianapolis Republican Sen. Jack Sandlin, co-author of the measure, decided to introduce the legislation after meeting with the consumer protection division in the Indiana Attorney General’s Office in 2016.
The state lawyers told the senator about the work they had to do to catalogue and preserve the patients’ personal health files that had been thrown into a recycling bin at Broad Ripple Park in Indianapolis last summer. Police officers discovered the documents, pulled them from the bin and handed them over to the attorney general’s office.
The original version of SEA 549 enlarged the definition of “abandoned” to include medical records that are “recklessly or negligently treated.” Also, it gave the attorney general the ability to file an action against a health care provider to recover the costs of safeguarding the abandoned records.
When the bill reached the floor of the House of Representatives, Republican Rep. Mike Speedy of Indianapolis successfully offered an amendment he described as narrowing the scope of the bill. Some legislators who worried that the original bill was too broad liked Speedy’s language limiting the measure to health care providers and clarifying the definition of health records.
Sandlin’s co-author, Sen. Aaron Freeman, R-Indianapolis, described SEA 549 as being a preventive measure. He does not want the law to be punitive in nature but rather to encourage medical professionals to have a plan on how to protect patient files.
“We need to button up people’s private information where we can, especially their private medical information,” Freeman said. “When companies do go out of business, they need to make sure these records are secure.”
And the advent of electronic medical records is making the data more accessible. As attorney Patrick Cross, leader of Faegre Baker Daniels LLP’s national health and life science industry team, pointed out, the electronic platform creates efficiency by allowing health care professionals to access a patient’s entire history of illness, treatment and medications without having to rely on the individual’s memory.
Increasingly, through health information exchanges and the like, medical professionals can get an even more complete picture of an individual’s health history by pulling information from most or even all the doctors a patient has seen.
“We want to provide broader access and availability to the health care providers who need the information to provide higher-quality treatment to the patient,” Cross said. But he noted these files still have to be protected from unauthorized individuals and that is a “problem in the process that needs to be managed.”
SEA 549 gives the attorney general additional enforcement authority to hold current and former health care providers accountable if they fail to safeguard medical records and databases.
Deterrent and reminder
Indiana’s SEA 549 comes as the U.S. Department of Health and Human Services has imposed hefty fines for HIPAA violations.
In May, St. Luke’s-Roosevelt Hospital Center Inc. in New York City paid $387,200 after one of its offices faxed a patient’s medical records, which included information on his HIV status, sexual orientation, medical care and mental health diagnosis, to the patient’s employer. Memorial Hermann Health System in Texas was fined $2.4 million the same month for disclosing a patient’s personal health information in a press release.
Indiana’s abandoned medical records law covers the area that HIPAA does not. When Sandlin presented the bill to the Senate Civil Law Committee, members questioned whether the measure would conflict or duplicate HIPAA. He explained when a health care entity goes out of business and walks away from its patients’ records, the federal act does not supply a remedy.
State statute did provide some funding for the attorney general to maintain the abandoned records, but safeguarding electronic files is more expensive. Securing the information and preventing hackers from gaining entry require special expertise that usually comes with a high price tag.
The new law adds a section that allows the attorney general to file an action against a current or former health care provider to recover the costs of storing and protecting the abandoned medical records. A court may then order reimbursement if the judge finds the provider “intentionally or negligently abandoned” the records.
Although recovering money from a defunct practice might be difficult, in some circumstances the attorney general could recoup its costs. Eckerle and McNab said the provision is more a deterrent, letting providers know they could be handed a bill if they abandon their records.•