[ Friday, December 17, 2010 ]
Great HIPAA Story:
My dear friend Karen Pyatt phoned this afternoon with an awesome HIPAA story that I just have to share. A woman in her office ordered an item from a company that sells glass products, ornaments, and decorative pieces. The order arrived, packed in a box, with roughly-shredded paper protecting the fragile glass cargo. However, the shredded paper was not the finely cross-shredded paper you usually see (think ticker tape parade trash), but was shredded in such a way that it was easy to read what had been printed on the paper.
As you have already guessed, the packing paper was the medical record of a clearly-identified woman with a skin rash of some sort. The woman's name, the name of the dermatologist office, and all sorts of medical information about the woman's ailment and her treatment were sent, along with the glass doodad, to a random office in St. Louis.
Presumably, the glass company buys bulk shredded paper to use as packing material. Presumably, the dermatology clinic hires some company to shred and properly (!!) dispose of its medical records. How those two streams of commerce, this input and this output, got connected is the big question. But it almost certainly involves somebody doing something pretty darned stupid, and almost certainly in violation of either HIPAA or a Business Associate Agreement.
Karen has agreed to contact the glass company and ask where they get their packing paper. She's also going to try to contact the dermatology clinic. I'll keep you posted. . . .
Jeff [3:56 PM]
Blogger: HIPAA Blog - Edit your Template