After the Supreme Court decided to end federal protection for abortion in June, many abortion advocates and lawmakers started agitating for the Biden administration to make changes to the medical privacy law HIPAA. That’s because HIPAA has many, many gaps and doesn’t actually keep information around abortion safe in many situations.
Here’s something HIPAA does do, though — govern garbage! It’s a HIPAA violation for someone to do what the New England Dermatology and Laser Center (NEDLC) did last year: throw away containers with patient labels on them in a parking lot dumpster. The labels had patient names and birthdays on them, and a security guard found them. The Department of Health and Human Services did an investigation, and NEDLC settled for $300,640.
There are very specific rules around how healthcare providers and insurance companies can dispose of identifiable health information about their patients. They can’t just put pill bottles or patient records in dumpsters, where anyone might be able to come across them. Healthcare providers should be “shredding, burning, pulping, or pulverizing” paper patient health records, the agency says in an FAQ. If they’re trying to get rid of digital health records stored on hard drives, they should be destroying them by “disintegration, pulverization, melting, incinerating, or shredding.” Sometimes, they might be able to put prescription bottles or hospital ID bracelets in locked dumpsters.
Instead of doing any of that, the NEDLC would just put containers with patient labels in the regular garbage.
After the HHS investigation, NEDLC agreed to create and implement a new policy for how it’ll dispose of health information. It’ll train employees and penalize any employees who don’t follow the new plans.
This is the sort of thing HIPAA is built to do. It makes sure someone doesn’t have a container showing that they had a dermatological test left in a parking lot. It makes sure that doctors don’t leave nasty Google reviews about patients and that hospitals are protecting against cyberattacks that could reveal patient information. It doesn’t make sure that cops can’t access your medical records, and it doesn’t stop period tracking apps from sharing data with Facebook or Google. HIPAA can be useful, but it was built for garbage — not for the digital surveillance age.