Handling of community mental health center medical records raises HIPAA concerns
A small item of local news in Lincoln, Nebraska caught my eye this morning. And the more I read, the more concerned I became.
Kevin Abourezk reports on the Lincoln Journal Star:
Lancaster County officials think they may have found a way to move more than 200 boxes of medical records left in the basement of the former Community Mental Health Center.
Even before Lutheran Family Services took over the mental health center in early February, county officials began looking for a way to move the medical records to a storage location. But because of the sensitive nature of the records, the county couldn’t find anyone who could move them without violating federal health privacy laws.
This week, the county decided to hire a temporary employment agency to move the boxes.
“That’s something we must get done,” said Gwen Thorpe, the county’s deputy chief administrative officer.
Lutheran Family Services took over the mental health center’s core services, as well as its headquarters, in early February. The Lancaster County Board decided last year to privatize county-run mental health services for low-income people in an effort to save money.
Health agencies must keep medical records for at least 10 years before disposing of them. The files in the basement of the former mental health center are for the center’s clients.
Lutheran Family Services uses mostly electronic records to track clients’ medical histories. As a result, the county contractor didn’t need the boxes of medical files for its own use.
The county had considered having Experience Works, a job placement agency for older workers, move the boxes. One county official suggested having county inmates move the boxes, but that idea was quickly rejected over fears of violating federal health privacy laws.
This week, the county decided to ask Manpower, another job placement agency, to handle the job, Thorpe said.
She said she expects it will take two people working eight hours a day for three weeks to move all the boxes to the county’s records storage site in the K Street Building, 440 S. Eighth St.
She said she isn’t concerned about workers reading the files but said she planned to check on the workers periodically anyway to ensure they aren’t.
“Quite frankly, they’re boring files,” she said.
Where do I start with my concerns? In no particular order:
How were those boxes with medical/mental health records physically secured in the interim? Was their security compliant with HIPAA’s Security Rule?
If the files are so sensitive that they trigger federal privacy protections (and community mental health centers are HIPAA-covered entities), why didn’t the county or contractor immediately arrange for a business associates agreement with a vendor – and a vendor who does criminal background checks on its employees?
How does Ms. Thorpe know the files are “boring?” Has she looked at them? And if so, why? Did she inspect or read files as part of a risk assessment, or was she just casually looking at files? Is there a formal written plan that outlined who would look at the files and that noted every access to the files so that patients/clients could request disclosure records? Who else has looked at those files?
What kinds of personal information are in those files? Are SSN in there? Diagnoses? Medications? What?
And why isn’t Ms. Thorpe concerned about temporary employees reading the files? She should be if the files contain sensitive information, however boring she, personally, might find them.
What’s the physical security for the county’s records storage site? Will it comply with HIPAA’s Security Rule?
I’m just sitting here shaking my head over this whole thing. You may think I’m over-reacting, of course, but as a mental health professional, this type of situation is very concerning to me. And I wonder what HHS would do if they were aware of this situation.