On February 13, 2004, television station CBS-2 in Chicago did an exposé on the University of Illinois - Chicago Medical School (UIC) that illegally dumped hundreds of pieces of computer equipment into their trash dumpster. An anonymous caller tipped off the television station. When they arrived, they found dozens of monitors, computers, printers and more, all with government tags and all destined for disposal. Some were marked bad or broken, others simply surplus. All were property of the State of Illinois.
When the news crew arrived, scavengers were going through the piles and one scavenger loaded an entire pick-up truck bed full and drove away. A local not-for-profit, Computers for Schools, protested because of the amount of still usable items in the trash. In fact, the television reporter went back to the Computer for Schools offices with a selection of items to see if they worked. In additional to being completely functional, they also found that none of the computers’ hard drives had been wiped before throwing them away. As a result, confidential patient files, along with many other files, were still easily pulled up on the computer and read. Even the warning about the user being responsible for confidential information inside was still there. Within minutes they were able to boot it up and access all the data inside.
Not only did the university break state law in management of surplus equipment that is paid for by tax dollars, it also broke hazardous waste rules by trying to dispose of well over the allowable 220 pounds of hazardous waste in a single month. Beyond environmental and state laws, the UIC also broke federal HIPAA laws requiring that confidential patient data be managed to protect the patient.
The final HIPAA rule to protect the confidentiality of individually identifiable health information was issued in December 2002 and took effect April 2003. The rule limits the use and disclosure of certain individually identifiable health information; gives patients the right to access their medical records; restricts most disclosure of health information to the minimum needed for the intended purpose; and establishes safeguards and restrictions regarding the use and disclosure of records for certain public responsibilities, such as public health, research and law enforcement. Improper uses or disclosures under the rule are subject to criminal or civil sanctions.
In February 2003, the federal government adopted final regulations for security standards to protect electronic health information systems from improper access or alteration. Under the security standards, covered entities must protect the confidentiality, integrity and availability of electronic “protected health information.” The rule requires covered entities to implement administrative, physical and technical safeguards to secure electronic protected health information in their care. The standards use many of the same terms and definitions as the privacy rule to make it easier for covered entities to comply. Most covered entities must comply with the security standards by April 21, 2005, while small health plans will have an additional year to come into compliance.
In addition to HIPAA concerns, in the instance of UIC’s disposal of confidential data, it would have been easy for anyone who picked up one of the computers to steal personal identity information of those patients whose files were on the computers.
 A
Program of the Indiana
Recycling Coalition |
