Abandoned medical records and their privacy implications made the news in two separate incidents over the past 10 days. One instance was in the Commonwealth of Massachusetts, while the other was in the Canadian Province of Alberta. Common sense should tell all of us that this is not just a US or Canadian issue, and a quick search turned up incidents with a bankrupt contractor in an Australian amusement park, a closed Scottish hospital and several more situations in Illinois, California and North Carolina, in addition to the visual evidence below.
The most recent occurrence near Concord, Massachusetts surrounded Dr. Ronald T. Moody. He was evicted from his office in September after state regulators pursued him for practicing without a license. The patient records from Moody’s office in Acton, were scheduled for disposal in March, when an employee for the storage company holding the records contacted the state Board of Registration in Medicine. The Board did not have the authority, nor the budget to move, store, or notify the patients.
Massachusetts’ state law requires medical records be kept for 7 years since the last visit, after which time the records may be destroyed without notification. These requirements transfer to deceased physicians’ estates and inherited practices. What’s not covered: abandoned or abruptly closed offices. There are no laws relating to patient notification, and no state agency has responsibility for finding patients or delivering notice in these circumstances. Even policies dealing with abandoned records aren’t necessarily covered by the physician trade associations, such as the Massachusetts Medical Society. Thankfully, Emerson Hospital offered to take responsibility and shoulder the costs for the records.
This isn’t one isolated state. California appears to have a similar unsettling situation, and, after a media frenzy over the sale of records by self storage facilities, Maine is just recently beginning to tackle the problem when the records are stored in a self storage facility.
Other states are clear cut and straightforward, including Florida’s statute 456.057 (21) and Texas’ Medical Board’s 165.4, allowing the State’s Licensing Board or Department of Health to appoint a custodian and attain ownership and direction of abandoned records.
The second orphaned records incident took place in Didsbury, Alberta. The College Green Medical Clinic closed after the lead physician suffered a stroke. After the physician’s passing, the other partners decided to quit the practice, taking some of their patients’ records with them. However, 111 boxes remained after the closing and departures, representing over 3,000 patients’ medical records. Surprisingly, two similar occurrences happened about a year earlier in the City of Yorkton in Saskatchewan. In those events, thousands of Canadian patients health records were found in two empty office buildings. The Health Information Protection Act, Canada’s HIPAA, requires physicians retain records for 6 years and includes possible jail time and maximum breach penalties of $50,000 for individuals and $500,000 for an organization
Each Canadian territory has a separate Privacy Commissioner for enforcement and fine assessment. Unlike the in European Union, the Canadians are not under a comprehensive privacy framework where all private information is protected (ed: a popular topic on the CIPP), and therefore recently passed the Health Professions Amendment Act to strengthen regulations of patient file storage. Instead of the EU comprehensive framework, the Canadians use a co-regulatory model, placing regulatory bodies for groups like doctors, pharmacists and hospitals in charge of establishing standards for formal record storage plans. In the event files are abandoned, the regulatory body will then be in charge of securing them, while the Privacy Commissioner makes sure it happens.
The US doesn’t approach the problem with the same fervor. With over 908,000 physicians in the US and a lack of clear responsibilities from state to state, it’s a wonder more abandoned record reports are not surfacing. Discussion threads and commentary associated with the two most recent stories expect the Electronic Health Record (HITECH) requirements from the U.S. Economic Stimulus package to eliminate all of the lost record worries in a single, silver, digital bullet. A Massachusetts law passed last year requires electronic health records by 2015. Other states have recently followed suit, clamoring for the billions in stimulus funds. And there are many benefits to be had replacing paper files with electronic records. Drug interaction flagging, reduced costs, lower transcription errors and higher quality of care are all cited as pros for an EHR program. The US sees good reason in forcing the issue – A 2007 Harvard study showed only 17% of US doctors were using electronic records. One thing’s for sure, EHR will bring about an unprecedented access to a patient’s personal information.
As with everything digital, there is a big drawback. EHR will bring about an unprecedented access to a patient’s personal information. Physical record protection is well understood (guards, gates, and guns) and the occasional fire or misplaced box of records is troublesome, but overcome with a copy machine and offsite storage. It’s difficult to divulge a lot of records when you have to go office to office in an 18 wheeler. Digital records fit on a thumbdrive, and thirty years after the first computer virus, technology professionals are still struggling with information security. A single breach of a large EHR holder could ruin a large swath of people financially, socially, professionally, even their decedent’s insurability. Need examples: a religious official with an abortion on file, a positive HIV test in a long standing monogamous relationship, a genetic predisposition to alcoholism/obesity/violence. These probably led to HIPAA forcing your doctor to not leave voice mail messages on answering machines – now we have to deal with doctors upgrading desktops.
With President Obama’s push towards electronic medical records and the amount of money being spent on updating the US medical system in the stimulus package, expect to see 83% of the US’ physicians dragged into the 21st century. We’ve seen we can’t expect every physician to properly protect a piece of paper. What happens when there’s not even the cost of paper deterring them from making another copy of a patient’s chart?