Deleting computer files not enough to ensure privacy

An Alabama man's purchase of a used computer with patient records is a cue to take care when disposing of equipment.

By Tyler Chin, AMNews staff. April 18, 2005.

A man in Cottonwood, Ala., snapped up an old computer at a flea market for $10 and was surprised to find it chock full of personal medical information about more than 3,000 people, including his late grandfather.

The episode illustrates how important it is for doctors to scrub all personal or medical information from their old computers or risk public embarrassment and a potential pile of legal trouble.

Records discarded with a computer could, for example, violate not only the 2-year-old federal medical records privacy rule but also a regulation that goes into effect April 20 aimed at protecting the security of such data, said Tom Walsh, a Kansas-based consultant on security issues related to the Health Insurance Portability and Accountability Act of 1996.

Under the latest security rule, physicians will be required to safeguard the confidentiality, integrity and availability of electronic health data or face potential civil and criminal penalties. Doctors also could find themselves liable to actions by patients, especially if data retrieved from a discarded computer are used to steal peoples' identities, Walsh said.

"I don't know any small physician practice that could stand to get sued for not protecting data used for identity theft," he said.

It was the potential for identity theft that struck Shawn Peterman, a self-described "computer geek," as he peeked inside the machine he bought March 6. When he booted up the old DOS computer, a program called "Doctor's Office Manager" popped up.