“How do you mistakenly destroy not one file, not 10, not 50, but thousands of files? How do you mistakenly do that?”
This question was asked last week by U.S. attorney Marlan Wilbanks with regard to a whistleblower case against Halifax Health of Volusia County, Florida, which is accused of destroying critical evidence by shredding the medical records of 6,000 patients. (See report by WFTV Channel 9, Orlando.)
From the standpoint of information management, the issue here isn’t whether these records were destroyed to cover up hospital misdeeds related to Medicare admissions, as the prosecution claims, or simply, as the hospital says, to comply with a Florida law permitting destruction after seven years. Rather, it is all about whether the principals involved understand how the technology tools used to manage records must be used in sync with the compliance regulations in effect or there will be consequences – and generally not positive ones.
In this instance, I am compelled to start by pointing out that thousands of files actually can be destroyed by mistake – especially if they are stored electronically. As is so often the case, the root of the matter lies in metadata, which if misapplied, could easily tag records for destruction before their time, and set them up to be blown away as a batch upon the mere click of a button. It might also result from a failure to tag the records in question for legal hold, an administrative procedure that would suspend all other rules regarding disposal, and thus keep them in the shredding queue.
Second, Wilbanks’ response to the hospital’s compliance defense was to observe, “The law change they’re talking about was in 1997. Why did they wait 14 years?” If this is so, then I have to take the hospital to task for missing the boat on the importance of destruction deadlines and the risks associated with missing them. Live and learn, I suppose, but talk about self-inflicted and avoidable pain.
What bearing any of this will have on the legal case remains to be seen. But the lesson for you as an information professional is clear: attention must be paid to the application of both the technology tools and the compliance requirements, and care must be taken that they are managed each with an eye toward the other.
What stories can you share about technology/regulatory mismatches? What were the consequences? Do let us know, in the comments section below or in the various social forums!