The Endpoint Security blog recently reviewed the actions of a Hollywood Video store that went out of business and subsequently threw old membership forms in the dumpster. The blogger inevitably asks the question: who is to blame here?

The answer, as is usually the case, is complicated. As it turns out, disposal is the Bermuda Triangle of data privacy. Whereas an organization, while solvent, is responsible for protecting its customers’ information, the picture becomes somewhat muddy if the company folds. Unless the data breach occurs before the company is completely dismantled, it’s difficult to pinpoint anyone left to be held accountable for fines or notifications. Further, the organizational assets, like desktop computers, are often sold off to the highest bidder. It’s alarming to think how much hardware may get shuffled about, still containing the records it held at the time the company went out of business, because no one wants the added expense of erasing the data.

It’s sort of an occupational hazard around here to worry about how much worse this story could be. Let’s say the company going out of business is a third party vendor that has patients’ PHI from a client hospital. What happens when this company throws patient PHI in the dumpster? According to HITECH, the client hospital still has notification responsibilities even if a third party breaches the information. During contract negotiations, the hospital no doubt fully vetted the third party’s privacy and security policies, their processes for handling the hospital’s PHI, as well as their willingness to step up to the plate in the event of a data breach. But if that business associate contract doesn’t cover proper data disposal, healthcare organizations should at least be asking, “In the event that you go out of business, what happens to our patient data?”

By Jeremiah Miller
Director of Operations, Investigation and Restoration Center, Kroll Fraud Solutions

Tags: disposal, HITECH, out of business, PHI, PII, third party vendor responsibility

Categories: Data Security Issues, HITECH.