San Mateo (Calif.) Medical Center is alerting patients seen at its Daly City (Calif.) Clinic to a potential breach of their protected health information.
Here are seven things to know:
1. An employee left a box containing patient information under her desk on Nov. 6.
2. Overnight, a temporary housekeeping staff, believing the documents in the box were recycling, moved the documents to the recycling bin instead of the confidential bin for shredding.
3. HIPAA mandates covered entities properly dispose of PHI. Acceptable methods of paper record disposal include shredding, burning, pulping or pulverizing.
4. The hospital was unable to determine which specific patients' had their information recycled instead of shredded, but the box only contained the information of patients seen Nov. 5 and Nov. 6.
5. Potentially compromised information includes patients' names, dates of birth, medical record numbers, genders, ages, provider or resource names, primary care providers, dates of service, patient account numbers and insurance codes.
6. San Mateo said the clinic's manager conducted site visits Nov. 8 and Nov. 16, and instructed the clinic to no longer use recycling bins but rather immediately place confidential information into a shred bin.
7. "We regret that this incident occurred, and are reinforcing our policy that medical staff should place all documents with patient information in the confidential bin for shredding and not leave documents with patient information out overnight," Gabriela Behn, privacy and corporate compliance officer at San Mateo, wrote in the notice to patients.