Medical Record Security Key Focus in Indiana Senate Bill

Database owners are now required to ensure medical record security by safeguarding healthcare data stored in their systems, according to a recently updated Indiana bill.

Senate Bill 549 changed the definition of “abandoned” medical records to include electronic records, and not just paper records that have been improperly discarded or disposed. Additionally, the Indiana Attorney General can now recover the costs of protecting discarded healthcare records.

“[The bill] also applies current law concerning database security to a data base owner currently exempt from the law if the database owner does not have or implement a plan to safeguard personal information after ceasing to be a covered entity under the Federal Health Insurance Portability and Accountability Act (HIPAA),” stated the bill’s fiscal impact statement.

Abandoned records had previously been considered records that were “voluntarily surrendered, relinquished, or disclaimed by the health care provider or regulated professional, with no intention of reclaiming or regaining possession.”

In addition, abandoned records are considered ones that are “recklessly or negligently treated, such that an unauthorized person could obtain access or possession.”

Health records also include written, electronic, or printed information that a healthcare provider possessed or maintained.

The bill went into effect on July 1. It also expands situations where the state attorney general may file actions, including the following:

• When health records are recklessly or negligently treated such that an unauthorized person could obtain access or possession of the records
• When the AG incurs costs in completing its responsibilities under Indiana Code when health records are abandoned
• When a database owner who maintains their own data security procedures under HIPAA fails to implement and maintain reasonable data protection procedures or improperly disposes of or abandons data

SB 549 also states that there might be certain exceptions to data base owners that maintain their own “data security procedures as part of an information privacy, security policy, or compliance plan” under certain regulations. This includes but is not limited to the Patriot Act, the Fair Credit Reporting Act, and HIPAA regulations.

However, current or former healthcare providers (as defined by IC 4-6-14-2) who are data base owners or former data base owners, where an exception applies, need to implement and maintain reasonable procedures for data security.

“A data base owner shall not dispose of or abandon records or documents containing unencrypted and unredacted personal information of Indiana residents without shredding, incinerating, mutilating, erasing, or otherwise rendering the personal information illegible or unusable,” SB 549 reads.  

Indiana Senator Aaron Freeman co-authored the bill, and told The Indiana Lawyer that the law is mean to encourage medical professionals to have a plan in place to protect patient data.

“We need to button up people’s private information where we can, especially their private medical information,” Freeman explained to the news source. “When companies do go out of business, they need to make sure these records are secure.”

HIPAA regulations do have requirements in terms of proper disposal of patient health information.

There is not a particular disposal method required, but covered entities cannot “abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” according to an OCR FAQ.

“Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps,” OCR stated. “In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed.”

For example, OCR said shredding, burning, pulping, or pulverizing paper records could be acceptable forms of disposal. Furthermore, ePHI could be disposed of in the following manners:

• Clearing (using software or hardware products to overwrite media with non-sensitive data)
• Purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains)
• Destroying the media (disintegration, pulverization, melting, incinerating, or shredding)

Additionally, the HIPAA Privacy Rule does not require covered entities to keep patients’ medical records for any period of time. State laws tend to dictate how long medical records should be maintained, the agency explained.

“However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.”