Photographer finds HIPAA Violations – At his Local Recycling Center

A good journalist is always willing to dig a little dirt to get a good story, but dig through the trash? That is just what one Boston Globe photographer did when he realized that the recycling center where he was dropping off his own trash was filled with confidential medical records earlier this year.

Records from four Massachusetts area hospitals were found amongst the piles of domestic trash, compromising the personal protected information of thousands of patients. The dumped records were found to be pathology reports from 2007 to early 2010, which include names, addresses, dates of birth, diagnoses, insurance policy numbers and Social Security numbers.

The four hospitals came under immediate fire, but further investigation revealed that the records were sent to the Georgetown Transfer Station by the manager of a billing company the four institutions shared a connection with.

The rogue billing agency, whose principals refuse to comment on the issue citing legal constraints, was not directly employed by the hospitals themselves. Instead they were the billing agency for a group of pathologists who performed testing for all of them.

All four hospitals – Carney Hospital, Holyoke Medical Center, Milford Regional Medical Center and Milton Hospital- have all since severed ties with the billing company Goldthwaite Associates and have informed the affected patients that their personal information was compromised.

But the story does highlight one of the many difficulties that hospitals face when trying to remain HIPAA compliant and properly protect their personal information and medical data. With so many different entities involved in the treatment, care and indeed billing of patients one has to wonder if it really is possible to ever completely protect sensitive patient information.