10 Years of Abortion Records Found In Houston Warehouse – HIPAA Journal
According to a recent report on Houston Radio station, KTRH, the medical records of hundreds – and potentially thousands – of women that attended an unspecified Houston abortion clinic have been discovered in a warehouse in the city.
The records were discovered by the owner of the warehouse, Esmeralda Cedillo, when she was walking her dog. The warehouse had not been used for 7 years until the dog got inside and dragged out a number of files and began tearing them up. Cedillo entered the warehouse looking for the source of the files and found boxes of paperwork together with containers of opiate drugs.
The boxes of files had been left in the warehouse by a now estranged relative who worked at an abortion clinic. The information in the files included sensitive medical information, personal details and Social Security numbers of women who had had abortions at the clinic between 1992 and 2012.
Cedillo was unsure what she should do about the files, as she was aware that the files should not be disposed of in a dumpster, yet she didn’t want to keep the files on her property. According to the Health Portability and Accountability Act (1996), electronic health records and other protected data cannot be shared or disseminated.
Other than checking to determine the contents of the files, Cedillo had not viewed the information contained in the boxes and she has not divulged any information that she saw, other than providing details of the type of information the files contained.
The presence of the files in the warehouse raises a number of questions that the Department of Health and Human Services’ Office for Civil Rights may wish to investigate. Paper records containing the medical information and personal identifiers of patients must be securely stored to prevent unauthorized access and once the records are no longer required, must be destroyed, shredded or rendered permanently unreadable.
However, under Texan law, it is not as simple as shredding or destroying records when they are no longer required. There is a requirement for some medical records to be retained and stored for a period of 7 years from the last date that a medical service was provided to a patient, or until a patient reaches the age of 21. The records may therefore have been in storage to comply with Texas laws, although it would appear that there has been a violation of Privacy and Security regulations.
For Cedillo the problem of what to do with the files has now been resolved. Attorneys from the law firm of Noah Meek – which is representing the now closed abortion clinic – have been in touch and arranged to collect the files. The firm has also issued a reward to Cedilla for keeping the files and their contents confidential.
At present it is not known whether the OCR or Attorney General’s Office will be following up on the incident and conducting an investigation into potential HIPAA violations.