Are your medical records safe?

Our medical records are confidential pieces of information that we do not disseminate for everyone to examine and gaze upon. These files are for our personal knowledge and use and for our doctors and specialists to look over in order to diagnose and treat us. Sometimes, these records are requested in the courtroom to serve as evidence when presenting a case.

Along with these records, our social security numbers and dates of birth are access keys to everything, from medical records to bank accounts, and they are holy grails for those on the road to performing identity theft. If we do not keep these bits of information under wraps, all hell can break loose.

This being said, how do we know whether doctors and hospitals are keeping our records safe from unauthorized parties? Is it possible for others besides ourselves and those we authorize to obtain our personal information? Is it possible that our dates of birth and social security numbers may be passed along to just anyone?

The Florida Bar passed rules of civil procedure for service of process that allow law firms to mail their subpoenas for production of non-parties (i.e., medical records subpoenas). These subpoenas request information from a patient’s records and provide the patient’s date of birth and/or social security number. These documents are sent to mailrooms at hospitals and/or doctor’s offices. However, there is no guarantee that this is done in a legit fashion.

Being part of a service of process company, we do not understand how this is lawful. For starters, this is not done according to the Florida Statutes, nor has it been passed into law through Congress.

On a daily basis, we process tons of subpoenas for medical records, easily a couple hundred of these papers every week, as they are always being requested by our clients. So this is a basic gauge as to how much patient information is floating around our office, which, at least, is better than floating around in mailing envelopes all over town. In an effort to maintain patient privacy, we sift through each of these subpoenas and redact every single social security number and date of birth present before scanning them into our internal system.

Certified Civil Process Server Program – Informational Manual by Walter D. Cordle, Jr., Process Server Program Coordinator, is a booklet given to process servers for Miami-Dade County. In it, it states, “Process must be correctly ‘served’ – delivered to the person named in process – in order for the court to acquire jurisdiction, or power, over that person or property. If process is not served correctly, the court may not legally consider the matter and any decision rendered by that court is subject to being voided.” (p. 1)

When the federal HIPAA law was originally written, it was done so with the intention that all subpoenas would be served according to federal and state laws, meaning they would be personally served to doctor’s offices and hospitals. The idea of these documents being mailed to these medical offices was out of the question.

This monster of an issue was created by attorneys of the Florida Bar in an effort to possibly cut costs in their cases, but by taking this route, they are placing individuals’ information in jeopardy. If something were to happen as a result of these subpoenas being mailed, the attorneys and law firms would not be the ones in boiling water – the hospitals and doctor’s offices would be the ones subject to heavy fines imposed by Health and Human Services in Washington, D.C. These fines can range from $10,000 to millions of dollars.

So next time you’re at the doctor’s office or in the hospital, be sure to mention you are not willing to have your information released unless it is served by means of a proper subpoena that is served by a process server. You’ll probably surprise the medical staff with this request, but this can save you loads of heartache and headache. ♦