Document destruction demands diligence
■ A column about keeping your practice in good health
By Pamela Lewis Dolan — covered health information technology issues and social media topics affecting physicians. Connect with the columnist: @Plewisdolan — Posted March 26, 2007.
- WITH THIS STORY:
- » Related content
Stephen Schutz, MD, said his gastroenterology practice takes patient confidentiality so seriously, secured bins around the office store everything from sticky notes to phone messages.
The Digestive Health Clinic in Boise, Idaho, not only has someone shred the contents in these bins once a week, but the documents are shredded on-site to ensure no outside eyes are ever laid upon confidential patient information.
"Part of it is convenience, but part of it is a little bit of control," Dr. Schutz said of the decision to have the shredding done on-site.
As medical identity theft rises many practices are looking for convenient and secure ways to destroy confidential patient records, particularly those practices converting to electronic files who wish to dispose of many years' worth of paper files.
But a few recent incidents in which document destruction companies mishandled patient files should make clear to physicians that they need to make sure the company they hire knows how to dispose of documents without -- intentionally or not -- letting them get into the hands of identity thieves.
The Utah Attorney General's office launched an investigation last fall after a Salt Lake City news crew found thousands of patient files and x-rays in an unlocked bin outside a third-party company hired by a recycling firm to separate paper files from x-ray films. Utah Assistant Attorney General Richard Hamp said the state passed a law last year that created a penalty of $2,500 per individual whose records were compromised, up to a maximum fine of $100,000. The law took effect in January.
Chris Nelson, a spokesperson for the University of Utah Hospital system, which had files in the unlocked bin, said the company could have protected itself by simply moving the storage bin inside. But the experience made the health system "a little more vigilant that we don't get sloppy with our own procedures," Nelson said.
Most shredding companies, which charge by the box or in a general range of eight to 16 cents per pound, offer the option to have the shredding done on-site with a large mobile unit for an additional surcharge and travel fee. Some charge less per pound the more you shred, and some offer regularly scheduled visits for a flat rate.
The Sierra Neurosurgery Center in Reno, Nev., has been shredding approximately 400 pounds of paper per week since November 2005 as part of the process of transferring 8,000 patient files to an electronic medical record system. Dyana Selby-Davis, health records manager for the practice, said a reputable company will offer a certificate of destruction every time something is destroyed.
Bob Johnson, founder and president of the National Assn. for Information Destruction, the trade group that provides much of the unofficial oversight of the industry, said he's currently not aware of reports of people using a destruction or storage business as a front for an identity theft scam, but industry insiders have become increasingly concerned with the possibility. But, if medical groups practice their due diligence and hire reputable companies, it won't be worth the thieves' time to set up shop as a fake company, he said. His advice to practices:
- Know the difference between recycling and destroying. Don't trust a company that claims general recycling is the same as destroying documents. General recycling lacks several of the federal requirements to comply with consumer/patient protection laws.
- Have a written policy on document destruction before contacting vendors for bids. Examine a company's written policy of how it manages the destruction.
- Require the company to do background checks of its employees.
- Make a vendor sign a contract binding it to HIPAA and the Fair and Accurate Credit Transaction Act. FACTA is the basis for allowing individuals access to their credit reports.
- Conduct periodic, unannounced audits of the destruction facility if the destruction is not done on-site.
Pamela Lewis Dolan covered health information technology issues and social media topics affecting physicians. Connect with the columnist: @Plewisdolan —