Six Lines

Paper-Based Violation of HIPAA

Posted by Aaron Massey on 27 Sep 2011.

If you’re going to steal large amounts of personally identifiable information, then you’re almost always better off doing so digitally rather than attempting to steal paper records. People notice when boxes and boxes of records go missing. In fact, the entire plot of The Firm hinges on a rather intricate attempt to make paper copies of records that would comparatively trivial to steal in a digital world.

Because of the problems of paper records, it’s really rare that you see huge paper-based violations of HIPAA. But apparently, it’s not impossible:

When Athens native Bobby Roberts placed a bid of more than $1,000 for the contents of a delinquent storage unit in Florence, he said he thought he was buying medical equipment and maybe old office files.

But on Sept. 10, when he opened the 20 or so boxes in the unit at Climate Guard Self Storage on Florence Boulevard, he discovered the boxes were filled with personal medical records from Digital Diagnostic Imaging Inc. Some were from as recently as 2009, while others dated to 2002.

Included on those records were not just medical details but patients’ Social Security numbers, addresses, phone numbers, insurance information and driver’s licenses.

Obviously, Roberts didn’t steal the records, but this is still a violation of HIPAA and the fault of the company that abandoned the records. Covered entities can’t just abandon paper-based records in a storage facility. It looks like Roberts is attempting to do the right thing with the records, but imagine what would have happened if someone else had won that auction.