A reminder to all covered entities out there that may be considering selling their business – don’t forget your file cabinet!! (or computers .. or disks ... or seemingly “empty” boxes where PHI may be lurking…..well, you get the picture).
NJ Times reports today that Aetna is notifying 7,250 people after paper files containing their PHI was accidentally left in a file cabinet that was being sold after an office move. The press release indicates that over 2,346 New Jersey residents were affected and over 4,013 in Pennsylvania, as well as a few in Connecticut and Delaware. Apparently, the files were voluntarily returned to Aetna after the individual who purchased the file cabinet discovered them. Aetna issued a press release indicating that it “has no reason to believe the information will be misused in any manner." Nevertheless, Aetna is notifying affected individuals and offering them a credit-monitoring service. Aetna also indicates that it has many privacy policies and processes in place, but corrective action will be taken to ensure that such a “mistake” does not happen again.
The Aetna “breach” raises a number of interesting questions, many which I often am asked about in similar contexts. Specifically: 1) Can PHI be disclosed in connection with a sale of a business? 2) Must a seller purge or maintain PHI that is not transferred in connection with the sale of such business? and, 3) Who do I have to notify in the event of a breach?
I’ll tackle Questions #1 & #2 in today’s post, and save #3 for follow-up.
HIPAA actually does not require a patient’s written authorization to use or disclose PHI in connection with the sale of a business, in certain limited circumstances. A sale of a business is considered a “health care operation,” which is defined in the HIPAA Privacy Rule to include:
“the business management and general administrative activities of the covered entity including, but not limited to … (iv) the sale, transfer, merger, or consolidation of all or part of such entity with another covered entity, or an entity that following such activity [or completed purchase] will become a covered entity, and the due diligence related to such activity.” See §164.501.
Therefore, if Aetna had sold its filing cabinet to an entity that was acquiring its health plan business, then there would have been no breach under the federal standards. However, in this situation, it appears that the patients’ files were simply inadvertently left in Aetna’s file cabinet after furniture was sold to a random buyer in connection with an office move. As such, there appears to have been a lapse in either following or implementing adequate safeguards.
The HIPAA Privacy Rule requires covered entities to implement appropriate administrative, technical, and physical safeguards to protect PHI from intentional and unintentional use or disclosure that is in violation of the Privacy Rule (see § 164.530(c)(1)-(2). However, it is the Security Rule that provides more detailed guidance on the types of safeguards that may be useful. Specifically, the Security Rule requires covered entities to:
“implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within a facility.” (see §164.310(d)(1).
The Rule goes on then to require covered entities to implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored (see §164.310(d)(2)(i)-Disposal). The Security Rule also requires covered entities to maintain a record of the movements of hardware and electronic media and any person responsible therefore. (see §164.310(d)(2)(iii)–Accountability).
Although the Security Rule technically applies only to electronic PHI, the Aetna situation illustrates why it makes sense to implement similar sorts of controls for paper PHI. After all, if it makes sense to keep track of computers that store electronic PHI so that such information does not inadvertently end up in the hands of someone who should not have it, would it not make sense to implement similar safeguard controls for a file cabinet that “houses” paper PHI?
It would seem so.