This case of potential data leakage is kinda sad. It sounds like the hospital had a policy and procedures established for proper destruction of data, but the company they contracted to perform the “elimination” failed. This example reinforces the importance of medical facilities ensuring that their vendors/contractors with access to PHI are operating under appropriate controls. Also, the medical facilities are responsible for this data even after it is passed along for destruction.
Does the vendor / contractor share in this potential PHI breach? The American Recovery and Reinvestment Act (ARRA) in Title XIII (HITECH), Subtitle D, Section 13401 discusses the application of security provisions and penalties to business associates effective February 17, 2010. This section states the HIPAA security provisions “shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.” It is recommended that current Business Associate Agreements (BAA) be reviewed to ensure the language supports the responsibilities of the business associate under the HITECH regulation.