Thursday, March 24, 2011

Solution to dumping unwanted medical records: drop-off boxes

Saskatchewan made the national news!

Not good.  Abandoned medical records found in a dumpster.  Privacy Commissioner "astonished".

This has happened before, and predictably, the Commissioner and blog commentators trot out the applicable penalties and want to find someone to blame.

This is definitely an breach of patients' privacy and completely unprofessional.  But, maybe we should look beyond finger-pointing and try to find a solution to this recurring problem.  For whatever reason, the custodian of these records decided to move them from the original doctor's office.  Perhaps the doctor moved or retired.  Maybe they were culling out-of-date charts.  Regardless of what journey the charts took from the file room to the dumpster, they were unwanted.  And, we already have models for managing valuable, sensitive, yet unwanted items whose current owners cannot manage for various reasons, including inadequate resources.

Baby drop-off programs.

No questions asked.  Leave the baby and we'll look after her.  No blame, no penalty.

Unsecured medical records will continue to be a problem because of physician retirement, relocation (particularly a problem in Saskatchewan!) or lack of filing space in medical offices.  It is clearly the professional responsibility of physicians to securely store, then appropriately dispose of patient records.

But, for a variety of reasons, some docs are not going to fulfill their responsibilities.  So the question is, do we want to try to force them to do it (good luck with that if the doc is retired or deceased), or do we want a mechanism to secure and dispose of orphaned records?

How about this: Set up locked drop boxes around the province.  Use hospitals/medical centres, as doctors know where they are and have access to them.  The Privacy Commissioner would have to decide whether records would be automatically shredded or whether someone would have to screen them first.

Yes, the doctor is ethically responsible to provide storage.  Yes, the doctor is obliged to pay for secure shredding and disposal.  The vast majority of docs do so and will continue to do so.  But, for the rare few whose circumstances may lead them to ditch records and run, wouldn't it be worthwhile to provide a secure alternative?

P.S. Electronic medical records, anyone?


  1. Some study says, EMR (Electronic Medical Records) is the new standard in medical technology. Basically, hospitals are hoping to have the entire medical record of patients available on the computer system, including all notes written for that patient. You can see the potential benefits.

  2. Umm.. Thanks for the post, electronic medical records (AKA spambot). Automaton or not, you are correct that there are definite benefits to EMRs.

  3. Isn't it interesting that it is the doctor who is considered the "owner" of the records, not the patient.

    Why not give the charts to the patients?

  4. Thanks. Yes, you're right - patients own their records, and the ideal solution would be to let the patient keep their chart.

    However, in the instance of a doctor/clinic treating patient charts as in this news report, it seems unlikely that this doctor/clinic would make the effort to contact all their patients. Even an ad in the paper is unlikely to reach many patients.

    It's a difficult situation, but as I noted in the post, if the health regulators want to prevent this from happening repeatedly, they should stop blaming and start reaching out to doctors/clinics who are about to violate privacy rules, and offer to help.

  5. When my physician closed her office, I tried to have my record shredded because I feared this sort of thing. I called the College and was told there was no way this could be done due to retention periods even if I signed a document waiving this requirement. Now the records have gone to Ontario to an agency that is not recognised by the provincial privacy commissioner for privacy standards. Go figure- shredding would have been much better!!!

    1. That's disgusting. People should be able to "pick" up their records when a doctor closes office.

  6. I hate electronic medical records and feel they are an extreme threat to North America. There is no such thing as a computer that can't be breached regardless of the amount of security. If it were so, Microsoft, the FBI, and banks would be able to keep people out. Our own RCMP suggested at one time that people were probably aware of only about 10% of the actual number of breaches.

    Those who have their equipment breached are not responsible by law, so everything is in their favour, yet a patient who is threatened for the rest of his life by information that has been accessed through these computers receives no compensation even for legal fees. Nor is any company obliged to notify him that his records have been breached, so even if he were allowed compensation, he wouldn't know how the offenders got hold of it.

    What's really scary these days is the fact that doctors are putting this information on laptops and travelling who knows where with it. So many of these laptops have been carelessly placed to pretty well ensure theft of them, and of course each time the words, "gee no, I didn't encrypt them" but I am very sorry and will learn by that next time are used.

    Apologies aren't enough. There should be extremely extremely stiff fines for lost or stolen laptops. Carelessness should not be promoted to the degree it is.

    Furthermore, who is checking on these doctor's files to ensure they are secure? Probably no one, or maybe there is one check a year or so, leaving the records vulnerable the rest of the year. I think laptops with medical records should be banned entirely.