Sometimes data security is a matter of simple, low-tech precautions, such as shredding paper records containing personal information prior to disposal. Even in the absence of rigorous HIPAA enforcement, state and federal regulators have an array of new laws that may be used to pursue health care organizations that fail to adhere to reasonable security practices. Â And some of those laws have teeth.
A case in point is the January 10 lawsuit filed by Texas Attorney General Greg Abbott against a Pennsylvania provider of physical therapy services, charging that more than 4,000 documents containing sensitive information, including medical records, were simply tossed in the garbage (
Texas v. Select Med. Corp., Tex. Dist. Ct., No. 08-01-21154, petition filed 1/10/08). Â The AG brought the action under the state's Identity Theft Enforcement and Protection Act, which was enacted in 2005. Â The Texas law requires businesses to "shred, erase, or otherwise make the sensitive personal information unreadable or undecipherable."
The AG is asking the court to order the company, known as HealthSouth Rehabilitation Center, to implement a comprehensive information security program. Â In addition, the AG is seeking fines of up to $500 for each unshredded record containing personal identifying information and fines of up to $50,000 for each violation of the Texas identity theft law. Â It's much cheaper to buy a shredder ....