Looking for some general quidance on this. I understand you are not my lawyer etc. This is a hypothetical conversation.
In the scenario where (1) A large psychological practice loses some state contracts they depended on financially, and they go bankrupt and (2) they then default on their lease and vacate the space they had been leasing, leaving behind furniture, various office junk and boxes of patient records and (3) If the practice declines to pick up the items and the records, despite the Landlord’s requests to “clear out the unit” for an incoming Tenant, and tells the Landlord he can do as he wishes with the abandoned contents. (4) Is the Landlord able to dispose of the records (ie throw them in a dumpster) without liability? I understand the Tenant may have liability in this instance, but does the Landlordhave any liability in clearing the space out?
What happens to any corporate obligations when the officers of the corporation quit, are fired, or move away? Is it like a game of hot potato, the last person in an executive or board position is the one to blame for the mess left behind if they make no arrangements?
I presume in this case it was a full bankruptcy, there were no assets worth enough to make someone else buy the corporation?
Assume the Landlord has not been informed of any entity buying out or taking over the practice. It appears the pactice has disassociated with all the members in the process of going back to either individual practice or a different group practice.
IANAL, but I do know enough about HIPAA (note the spelling) to know that it only applies to certain entities.
According to this cite from the Department of Health and Human Services, it only applies to:
It goes on to state:
Given the above, and that the landlord isn’t among the three groups which must comply with HIPAA privacy regulations, it doesn’t look, to me, like he is bound by HIPAA rules on what he does (or does not) do with those records.
Is there not a personal professional liability on the individual doctors who created confidential records to ensure they’re disposed of securely, rather than just abandoned?
Over here, data protection law would also apply to the custody and disposal of personal data, and if memory serves, that could apply equally to the originators and the inheritors of the records. Whoever’s got them has to deal with them securely, even if that’s simply shredding them.
Good question. When a doctor works for a corporation and leaves, who owns the records - him/her or the corporation? If the owner(s) of the corporation is not a doctor, and the last doctor leaves…?
I guess the other point is - if the corporation is bankrupt and folded, and is the “person” responsible for the records, who ya gonna sue? What are you going to sue them for, if they have no assets left? Who does the federal government charge?
Assuming someone stumbles across this thread in a not hypothetical situation.
The landlord should probably contact the AMA (American Medical Association) to report the situation and try to make arrangements to have them retrieve the records.
I would guess that abandonment of any documents covered by HIPAA is violation on their part, so if the practice left the records behind, that’s on them. The landlord isn’t covered by HIPAA regulations.
Actually, in the UK, any organisation that might be covered by the DPA has to appoint a controller who is the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
That person or group is ultimately accountable for compliance and the compliance of their processors (the people who do the data entries).
An individual can also bring claims directly against a controller if the processing breaches the UK GDPR, in particular, if the processing causes the individual damage.
So, in the circumstances described by the OP, it would be the controller’s responsibility to ensure that the records were taken care of and they could be held personally liable if they failed. Ultimately, if they can’t be identified, it would be either the Local Authority or some part of the NHS to deal with it.
But the main question is - what happens when that person quits and they haven’t yet (or never get to) hiring a replacement? Does the role immediately fall to his superior, or is it vacant? It’s one thing if it’s a doctor with a private practice so it’s all on him, it’s another if its a corporation which hires individuals who simply work for the corporation. (What if the controller gets hit by a bus, or a beer truck?)
I don’t know if beer truck collisions are covered by the legislation. I assume that, as with most legal things in a company, it would fall to the directors if the designated officer was unable to carry on…