How JustAnswer Works:
  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.
Ask TexLaw Your Own Question
TexLaw, Attorney
Category: Legal
Satisfied Customers: 4430
Experience:  Lead trial/International commercial attorney licensed 11 yrs
Type Your Legal Question Here...
TexLaw is online now
A new question is answered every 9 seconds

What should I do I found a plastic surgeons server and back

This answer was rated:

What should I do? I found a plastic surgeon's server and back up server(I assume he got new equipment) in a dumpster. I am a former patient of his. Do I have any right to sue for him violating my privacy as well as everyone else's? I found this tonight... should I contact media? police? I talked to cleaning company to see when it was dumped so I could determine which day they were trashed.

Thank you for your question. A medical professional is bound to keep your medical information private under state laws and HIPAA (Health Insurance Portability and Accountability Act). This includes making sure that your information stays private in documents and electronic information which is disposed of, such as the server you found.

The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. See 45 CFR 164.530(c). This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use.

In your case, under the facts you have provided, there is no indication that the server that you found actually has any PHI on it. Your assumption is that it does and we can work under that assumption. A doctor can't simply throw medical records (or servers containing medical records) into a trash can which is accessible to the public. This would be in itself a violation of HIPPA.

In regard to what you should do, at this point you do not have a private action that you could enforce for money damages. First of all, since you discovered the information in the dumpster, there has not been a disclosure to any third party of your information. If you look at the information and find medical records of other people, then there might be disclosure of their medical records and they might have a claim. However, they could also potentially file a claim against you for intentionally invasion of privacy.

What you should do in this situation is contact U.S. Department of Health and Human Services and file a HIPPA violation complaint. USHHS is the federal department tasked with enforcing HIPPA. If USHHS finds a violation, it may fine your doctor for the negligent failure to protect the privacy of your health records.

Please let me know if you have any further questions regarding this subject or need any clarification.

Best Regards,
Zachary D. Norris
TexLaw and other Legal Specialists are ready to help you
Customer: replied 5 years ago.
I assume he's possibly going out of business or at least downsizing. I make this assumption based on the sheer amount in dumpster. He had other PHI including patient paperwork in dumpster. There were tons of other things too, like boxes and boxes of patient brochures and even office supplies like hole punches, staplers, etc

You think the best route is to contact US HHS first? Or should I alert police that I found it? Somehow in my mind the media sounds like a good idea, because it's a great story! I did talk to the cleaning company and video-tape it on my phone so there would be a record of my findings. This doc has been in practice over 30 years. IF and I agree that it's a big IF(But if he was careless enough to throw paper copies of PHI in dumpster it's likely that he may dispose of electronic PHI in the same manner) .... IF his entire database is on these servers then there's potentially a lot of people who's information is at risk. And yes, I agree. I do not plan to try to see what's on servers personally. First of all because I'm not computer savvy enough if I wanted to but also because I don't want to get myself in trouble.
The local police force does not have jurisdiction to enforce medical privacy laws. So I don't think that will be any help. I would definitely contact HHS and file a complaint.

It sounds like this doctor was very negligent if he disposed of the medical records in this fashion. There are all kinds of problems that it presents in addition to the breach of confidentiality...what about the fact that people may need to have other doctors look at their medical records????!

So, looking at it from a newsworthiness view...I would think it is newsworthy and that this may very well interest the local press. However, I would be extremely careful in making any statements to the press. You want to avoid any potential liability for defamation. If it turns out that the doctor did not disclose any protected information, then he could turn around and sue you if you went on record through the press to accuse him of wrongdoing. So, it might be better to simply tip the press to what is going on...even anonymously.
TexLaw and other Legal Specialists are ready to help you
Customer: replied 5 years ago.
Gotcha! Thanks so much!