[BreachExchange] Healthcare Hazards Involving Medical Records During Bankruptcy

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 10 19:05:42 EDT 2018


Companies in the healthcare industry face many unique challenges when
undergoing a bankruptcy, including challenges arising due to the federal
and state law framework governing the use and disclosure of medical
information. In February 2018, the U.S. Department of Health and Human
Services (HHS) announced that it had reached a settlement with the receiver
appointed to liquidate the assets of Filefax, Inc., a medical record
storage and transportation company, resolving claims against Filefax for
potential violations of the Health Insurance Portability and Accountability
Act (HIPAA). The HHS investigation, which commenced in 2015, indicated that
Filefax impermissibly disclosed the protected health information (PHI) of
2,150 individuals by leaving the PHI in an unlocked truck in the Filefax
parking lot, or by granting permission to an unauthorized person to remove
the PHI from Filefax and leaving the PHI outside the Filefax facility for
collection in an unsecured manner. During the investigation, Filefax
stopped operating and was involuntarily dissolved. As part of the
settlement, the receiver agreed to pay $100,000 out of the receivership
estate and to properly store and dispose of the remaining medical records
in compliance with HIPAA.

Medical Record Storage and Maintenance

While HIPAA requires covered entities (i.e., health plans, healthcare
providers, and healthcare clearinghouses) and their business associates
(generally, persons or entities providing services that involve the use or
disclosure of PHI to or on behalf of a covered entity) to maintain the
privacy and security of PHI during maintenance, storage, and disposal of
PHI, state laws typically govern the length of time the medical records
must be kept. For example, in Texas, a hospital must maintain medical
records for 10 years from the date of last treatment of the patient, or, if
the patient was under 18 when last treated, for the longer of 10 years or
until the patient reaches the age of 20. State laws can vary based on the
type of person or entity and record involved, although often these record
maintenance laws apply only to specific types of healthcare providers. In
addition, certain other statutes may apply. For example, the Centers for
Medicare & Medicaid Services (“CMS”) require hospitals to maintain medical
records for five years.

Maintenance and storage of medical records may be complicated further if
the covered entity or business associate is undergoing a bankruptcy and
lacks the financial resources required for proper maintenance and storage
of the patient records. The United States Bankruptcy Code (the “Bankruptcy
Code”) permits a “health care business” that is a debtor in bankruptcy to
dispose of patient records in a certain manner if the debtor/trustee has
insufficient funds to pay for storage of the patient records as required by
federal or state law. Specifically, the healthcare business must publish
notice in a newspaper of the intent to destroy the records and must attempt
to contact directly each patient and the patient’s insurance provider. The
records must be kept for at least one year, and if no one claims the
records, the trustee must offer them to the appropriate federal agency.
Records that are not accepted by the appropriate federal agency may then be
destroyed as set forth in the Bankruptcy Code. A “health care business” is
defined in the Bankruptcy Code to include any public or private entity that
is primarily engaged in offering to the general public facilities and
services for the diagnosis or treatment of injury, deformity, or disease,
and surgical, drug treatment, psychiatric, or obstetric care, including,
but not limited to, any hospital, emergency or surgical treatment facility,
hospice, home health agency, and nursing, assisted-living, or long-term
care facility.

While the definition of “health care business” in the Bankruptcy Code
covers many healthcare providers, it does not cover every healthcare
provider.1 Further, if there is no applicable federal or state law
requiring the healthcare business to maintain the patient records for a
certain period of time, courts have some discretion to develop procedures
on a case-by-case basis. For example, after finding no relevant state law
requiring the debtor to maintain the patient records and noting that the
trustee had no funds to store patient records, the court in In re LLSS
Mgmt. Co., Inc. ordered the trustee to keep a compact disk (for no cost)
that contained the names and addresses of patients to whom a prescription
mixture was given and for whom anti-depressants were prescribed, and to
notify patients that their medical histories would be shredded after sixty

Disclosure of Records During Sale or Winding Up

Part of the bankruptcy or winding up process may involve the sale of some
or all of the debtor’s assets, and potential purchasers may have access to
medical information during the due diligence process. HIPAA has certain
exceptions to allow for the disclosure of PHI during the due diligence
process, but the exceptions are limited in nature and must be analyzed
carefully to ensure compliance. For example, a covered entity may disclose
PHI for due diligence related to a sale, transfer, merger, or consolidation
without obtaining patient consent if the transaction is between two covered
entities, or between a covered entity and an entity that will become a
covered entity following the transaction.

Best Practices

Given the complexity of the federal and state laws applicable to medical
record privacy and security during a bankruptcy or winding up, companies in
the healthcare industry should take certain steps to limit their exposure
(e.g., earmarking funds for medical records management in liquidation or
restructuring budgets, and ensuring appropriate privacy and security
policies and procedures are continued during this process). Healthcare
providers and their vendors should also proactively address medical record
storage, destruction, and ownership in their agreements and consider adding
specific provisions to address “wrapping up” services in the event of a
bankruptcy. Finally, companies in the healthcare industry should carefully
consider disclosures made during a potential purchase and engage legal
counsel to help determine whether HIPAA, state laws, and applicable
exceptions apply.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180510/90135324/attachment.html>

More information about the BreachExchange mailing list