SCGhealth Blog

Don’t let your disposal vendor mishandle your trash into a HIPAA violation

Tuesday, January 17, 2017

By Marla Durben Hirsch , contributing writer

Photo: Adobe Systems Incorporated.

Providers continue to be confused as to how to dispose of their trash without running afoul of HIPAA. But the stakes are now higher – because it’s often the provider’s trash collector that’s exposing the patient data that’s in the garbage.

The Department of Health and Human Services’ Office for Civil Rights, (OCR) which enforces HIPAA’s privacy and security rules, has published guidance on proper disposal methods. While HIPAA doesn’t require particular processes, OCR suggests several, such as shredding, burning, pulping or pulverizing the records so that patient protected health information (PHI) is unreadable and cannot be reconstructed. Records treated this way are considered “secure”; a breach of them doesn’t even have to be reported.

However, many providers still don’t realize that they need to take this step as part of disposal. A number of them, including CVS, Rite Aid and Cornell Prescription Pharmacy have settled alleged HIPAA violations after disposing of unsecured records and other materials containing PHI in unlocked publicly accessible dumpsters. State attorneys general have also fined providers, even solo practitioners, for faulty trash disposal.

And it gets worse, since many providers have turned to outside vendors to dispose of their trash, and the vendors are making mistakes and exposing the PHI, violating HIPAA. The provider is ultimately liable even though it has entrusted the vendor to perform the disposal.

A simple Google search reveals a multitude of these incidents.

For example, the disposal company hired by physician owned Radiology Regional Center, with several facilities in Florida, exposed patient PHI in December 2015 when the back of the truck transporting the records to an incinerator opened, spilling the contents all over the road. While the Center spent considerable time combing the area and retrieving the records, it still had to notify 483,663 patients about the breach. The incident triggered a lawsuit in 2016 from several patients who claim, among other things, that the doctors were unaware of their obligations regarding proper trash disposal and admitted ignorance regarding it. That lawsuit is still pending.

And that may not be all. OCR has for the first time has begun to train its sights on mistakes being made business associates. In 2016 the agency resolved several enforcement actions with providers and business associates for security breaches caused by the business associates. It would not be surprising for OCR to investigate Radiology Regional and other providers whose records have been compromised by their disposal company.

Review all of your business associate agreements with those handling PHI on your behalf to ensure that you are adequately protected in case the business associate exposes patient information. For example, the business associate should pay for the costs of the breach, such as the expense of notifying patients and offering them free credit monitoring. OCR has a model business associate agreement that can help you.

If you delegate trash disposal and destruction to an outside vendor, make sure you know how the vendor will safeguard the information and dispose of it. For instance, look to see if the containers the disposal company is using are sturdy. Ensure that the vendor’s staff is trained in HIPAA compliance.

Be proactive to the extent possible regarding your trash. Consider having the trash incinerated on site so it doesn’t have to be transported. Make the trash unreadable yourself before giving it to the vendor to cart away, say by shredding it or obliterating PHI with a marker. Had Radiology Regional Center taken some of those steps, it may not have been in the hot spot it is today.

Ransomware protection starts with backups

Tuesday, March 08, 2016

By Shannon Carpenter

It will start off like any other day. Drop the kids off, run through a drive-thru for coffee, turn your computer on and try to access your server. A small message box will pop-up saying something techy like “unable to access the server at this time”. If you are lucky enough to be a normal worker, you buzz your ‘IT’ person to let them know, and take care of the problem. If you are unlucky enough to be someone like me, the ‘IT’ person, you walk back to where the server is and stare in abject horror. For there, on the screen reads a message unlike to have ever seen. Your server has been infected with Ransomware and your files are being held for ransom money.

If you are like me, you have taken a few requisite computer classes in college. How you became the “IT” person of the small company you work for, was really nothing more than you fixed the boss’s computer one time and that was it, you were crowned as the person to call if there were technical issues. Over the years, you may have learned a thing or two about being tech savvy. First thing to check, power supply. Second, are all the cords connected? You see where I’m going with this, right?

So now is the day that someone tells you that the server isn’t working. You wander on back there with your fool-proof trick in your pocket. Reboot! It fixes everything, right? Not this time my friend. This time, there is a message for you. Your server has been taken over by cyber hackers, and your data is being held ransom. I won’t elaborate on the thoughts that ran though my head, I’m sure you can all guess. This is the point in the story that my type A personality really saved the day. BACKUP!!! That’s right, they may have taken our server, but I still had the backup that would run every night. No ransom was paid and life went on.

Ransomware defined

This term “ransomware” means any type of software or malware that infects a computer and encrypts files without authorization. The files stay encrypted until the owner pays a ransom. Over the past month, multiple hospitals around the world have had their servers, electronic health records or email systems breached and held for millions of new electronic money called, Bitcoin. Whether or not you business serves millions of client’s every year, or just a few hundred local townies, internet security must be made a company priority. It can be as simple as an un-witting employee clicking on an attachment or downloading a funny video to let in these cyber terrorists.

The repercussions of these attacks will be felt for years to come. Patients may begin to withhold vital information for fear of whose hands their electronic records will end up in. Liability insurance rates will increase as well as additional “ransomware” riders will be added. Any personal use of company computers will need to be restricted for fear of the unknown Trojan horse.

You can take precautions

Across the world hospitals, corporations, school districts and police departments are under cyber-attack. They have dozens of trained men and women at their disposal to try to prevent these scenarios and then manage them when they do inevitably arrive. No system is impenetrable. Here are my few words of wisdom for the more modest companies with only a handful of employees.

  1. Keep all antivirus protections and operating software up-to-date. Really, every day have all computers in your office run a check for updates. This includes your antivirus, your operating system and the software you use everyday.
  2. Backup! Preferably back up to a HIPAA-compliant offsite server in case of a fire or theft. As stated above, I backup every night. These backups are rotated in and out, with one being taken home with me and put into my fireproof safe. Ok, not really, but that is what I should have been doing! My actual backup was literally sitting right next to our corrupted server.
  3. Hire someone who actually knows something about computers. They don’t have to be on fulltime staff, maybe they come by once a month. Put in place a Business Associates agreement to make everything nice and HIPPA compliant.

If the worst were to happen, your system is attacked, these steps will help in in more ways that you can imagine. The backup may be enough to keep you from paying the ransom. That tech savvy person you have on staff now will be able to help you restore the backup and off you go. The updated malware may help keep all computers and files from being infected.

These steps will also show the powers that be that you made a best effort at keeping any and all PHI located on your computers, protected. Having a Business Associates agreement with anyone who has access to PHI is also vital in showing that you and your business take security seriously. (These are also required in many states depending on your license’s and certifications.) Depending upon your state, severe fines can be levied if certain security steps are not taken before and after a breach.

We live in a world that is run by technology. It is a fact that we must accept and respect. If you or someone on your staff is not truly capable of protecting your systems, hire someone who is.

Not me, but maybe my 8 year old.

Should Ransomware Attacks Be Considered Breaches?

Why Hospitals Are the Perfect Targets for Ransomware

SCG Health blog by Email

Recent Posts



SCG Health is a tradename of the Searfoss Consulting Group, LLC. You may reproduce materials available on this site for your own personal use and for noncommercial distribution. For more information, please read the Content Sharing Policy. Art & design by SCG Health. DISCLAIMER: You should consult an attorney for individual advice regarding a particular set of facts and circumstances. SCG Health reserves the right to change the information on this website without notice.