HIPAA ALERT: Forgotten Physical Safeguards Lead to Stolen Records


By Margaret Scavotto, JD
Director of Compliance Services
Management Performance Associates

In June 2017, an Illinois mom found two medical records in her middle schooler’s belongings.

This mom discovered that some of her daughter’s peers had stolen nursing home records from an abandoned nursing home, and passed them around at school.  The records included medications, doctor’s notes, diagnoses, social security numbers, addresses and other protected health information.

How did this HIPAA nightmare happen?

The nursing home closed its doors permanently in 2013. So how did a group of junior high students get their hands on these medical records?

Eighteen months after the facility closed, someone noticed a water leak at the home and called the city. The city found the building unlocked, with sharps in view, and medical records inside.

The mayor obtained a court order to remove the biohazardous materials (sharps and medications). However, the city did not have any authority to remove the medical records it found inside.

A restoration company made spot checks on the building to board up windows and make other essential repairs. This company also lacked authority to remove any property (such as medical records).

And, because the facility was no longer licensed after 2013, the Department of Health did not have any authority over the building or the records inside.

Six weeks after the middle schoolers broke in, the records are still inside, unsecured – some are “scattered throughout the hallway.” Time will tell if the OCR intervenes to investigate the records situation as a potential HIPAA violation.

What does the OCR say?

The Office of Civil Rights (OCR), which enforces HIPAA, has published an FAQ addressing the disposal of PHI. The OCR states that: “… covered entities are not permitted to simply abandon PHI…”

The OCR proceeds to give guidance on the factors covered entities should consider when it is time to dispose of PHI:

“However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed.”

Finally, the OCR gives an example of an appropriate disposal method for paper PHI:

“For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.”

The OCR is clear that HIPAA obligations do not cease until PHI is properly disposed. Address risks to PHI proactively by including disposal plans in your HIPAA Security Risk Analysis, so they will be easy to execute if and when the time comes.

[clickToTweet tweet=”HIPAA ALERT: Forgotten Physical Safeguards Lead to Stolen Records.” quote=”HIPAA ALERT: Forgotten Physical Safeguards Lead to Stolen Records.” theme=”style3″]


  1. This is very unfortunate. I have to imagine, as in most states when a provider closes down, there are requirements that the provider must take to ensure that the records are secured and that patients can still access them as needed and in accordance with other state laws relative to such a situation.

  2. Frank,
    You raise a great point: providers must also consider state regulations and guidance related to records disposal. In Illinois, the Skilled Nursing and Intermediate Care Facilities code does have a section addressing medical records, including destruction. As you mentioned, it is always crucial to check with legal counsel about the applicability of state records and confidentiality laws, in addition to considering HIPAA requirements.

Comments are closed.