What’s the penalty for mishandling a medical record? $2.09

Those of you with long-enough memories may remember an Internet radio piece I did a couple of years ago in which I told the tale of a Boston Globe photographer who was bringing his trash to his local dump and discovered a 20-by-20-foot mountain of patient records from four Massachusetts hospitals that had not properly been disposed of. (Read the original news report.)

This week, the circle closed around this as the individual doctors and the former owners of the billing company involved agreed to pay a fine of $140,000 and contribute to a state data protection fund. According to the Globe article posted on Monday, the pile of papers “included records for more than 67,000 people, including names, addresses, Social Security numbers, pathology reports for people tested for various kinds of cancer, and other test results.”

A quick trip to the calculator tells us that the penalty leveled by the Massachusetts attorney general’s office comes to $2.09 per record, give or take depending upon the specific number of people affected and the size of the fund contribution. My question is whether the punishment here fits the crime.

The cynical among us will look at this figure and conclude that it is low enough to be considered a cost of doing business for caretakers of medical records who may decide it is not worth the hassle to actually shred and/or incinerate every document in their charge. Others may decide that the aggregate sum is high enough to keep organizations on the straight and narrow, especially considering that no evidence of identity theft or other impropriety was found in the wake of the discovery of the building-sized pile of paper.

Whatever your view, I think we can all agree that the issue is beginning to become more costly to ignore that it has been before. I’m just curious to know how large this cost must become before organizations decide it is cheaper to properly dispose of their medical records than to risk being fined for carelessness or criminality.

About the author: Steve Weissman

Steve Weissman helps you do information right by bringing order and discipline to your governance and process practices. Principal Consultant at Holly Group and Co-Founder of the Information Coalition (now merged with ARMA International), he leverages a proven proprietary methodology to optimize everything from strategic planning and needs assessment to vendor selection and user adoption. He is, in short, The Info Gov Guy™, furthering best-practices for finding, leveraging, and protecting your business-critical information. A member of the AIIM Company of Fellows and holder of numerous industry designations, he can be reached at steve@hollygroup.com or 617-383-4655.

Has one comment to “What’s the penalty for mishandling a medical record? $2.09”

You can leave a reply or Trackback this post.

  1. Confused Records Manager - January 19, 2013 at 5:52 am

    I just got notified that I could be potentially be a member in a class action suit, because a social media site used images from a page I administer to without consent. The potential settlement = $10/person! So let’s just put this in perspective: data breach victims are awarded $2.09 per person, and social media victims could be awarded $10 per person? Does anyone else see a problem here?

Leave a Reply

Your email address will not be published.