L.A. County Sheriff's Department officials discovered last week that a janitor in the Martin Luther King, Jr. Multi-Service Ambulatory Care Center in Willowbrook, CA, sold boxes containing 33,000 patient records to a recycling center.
The Los Angeles Times broke the story Friday that Robert Sanders, 55, took 14 boxes containing addresses, phone numbers and other demographic patient information and sold them for $40 for their paper value. He was charged with felony commercial burglary.
The hospital discovered the missing files in July.
Reached Monday by phone, a spokesperson at the Los Angeles County Department of Health Services said the hospital regrets the incident but ensures the boxes were in a "secure place."
"These records were not just out in a hallway," the spokesperson said.
The spokesperson also told HealthLeaders Media that the information contained no Social Security numbers or medical records numbers and rather demographic information on patients from 2008.
The hospital is "re-doubling" its efforts to ensure its records stay confidential and within the facility, the spokesperson said. It has complied with all notification requirements, established a toll-free number and is notifying the affected patients.
One HIPAA privacy and security expert said hospitals can avoid records falling in the wrong hands by having an officer account for them at all times.
"One theme the incident does touch on is that of prevention," says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ. "This incident is a bit of a head scratcher because this incident involved the movement of 14 boxes from the facility. So either this person was in a situation where his actions were not noticed by others (for example he may have been the only person in the area) or if others noticed him, they didn't think to perhaps intervene or perhaps didn't perceive anything wrong with what he did."
Ruelas says the incident raises questions regarding boxes of personal health information (PHI):
- Are boxes containing documents clearly labeled to identify that their contents are confidential?
- If boxes and their contents are identified, are they being destroyed in a manner consistent with a hospital's policy on the destruction of confidential documents?
A "good rule of thumb," Ruelas says, is to dispose of confidential documents in accordance with policy during business hours when possible.
"This enables those who are knowledgeable about the documents and how they are to be disposed of to be involved," Ruelas said. "To leave documents staged such that they can be removed by unauthorized personnel or in a manner inconsistent with the organization's policy can result in an incident such as this one."
Also, restrict janitorial services in areas containing confidential documents during business hours; only allow them to work when someone can supervise access to and from such locations.
"In some hospitals, if janitorial services are needed in restricted-access areas after hours, security or other staff [should] remain in the area until the janitorial services are completed," Ruelas said.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.