"One theme the incident does touch on is that of prevention," says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ. "This incident is a bit of a head scratcher because this incident involved the movement of 14 boxes from the facility. So either this person was in a situation where his actions were not noticed by others (for example he may have been the only person in the area) or if others noticed him, they didn't think to perhaps intervene or perhaps didn't perceive anything wrong with what he did."
Ruelas says the incident raises questions regarding boxes of personal health information (PHI):
A "good rule of thumb," Ruelas says, is to dispose of confidential documents in accordance with policy during business hours when possible.
"This enables those who are knowledgeable about the documents and how they are to be disposed of to be involved," Ruelas said. "To leave documents staged such that they can be removed by unauthorized personnel or in a manner inconsistent with the organization's policy can result in an incident such as this one."
Also, restrict janitorial services in areas containing confidential documents during business hours; only allow them to work when someone can supervise access to and from such locations.
"In some hospitals, if janitorial services are needed in restricted-access areas after hours, security or other staff [should] remain in the area until the janitorial services are completed," Ruelas said.