In general, both state and federal laws apply to health information or protected health information that is in the possession of hospitals, health systems, and medical providers.

HIPAA requires that covered entities protect the confidentiality and integrity of protected health information in their possession and secure it from unauthorized access, use, or disclosure. In addition, state laws may apply to protect the confidentiality of health information depending on the state in which you reside and may require health care providers to properly dispose of health information when the health care provider is no longer in business.

When a health care entity goes out of business, it is supposed to follow the laws that are applicable to it when disposing of the health information in its possession. Unfortunately for patients of Eastern Ozarks Regional Medical System (Eastern Ozarks), it appears from a complaint filed against it by the Arkansas Attorney General (AG) that it did not properly dispose of medical records when it closed its doors in 2004.

According to the AG’s complaint, the system shuttered its doors in 2004 and the property was transferred to the state because of tax deficiencies. Patients’ files were left behind in the facility and storage buildings, the facility was vandalized, and the vandals had access to and examined the files in order to steal sensitive personal and health information. AG Leslie Rutledge conducted a site examination and estimates that there “could be several thousands of files that were left behind in the unsecured buildings. These files contained social security numbers, driver’s license numbers, account information, medical information and biometric data.”

Attorney General Rutledge alleges that Eastern Ozarks violated the Arkansas Personal Information Protection Act and the Arkansas Deceptive Trade Practices Act. Civil penalties of up to $10,000 for each violation of those laws are applicable.

State Attorneys General usually have jurisdiction over consumer protection. According to Attorney General Rutledge, “Consumers must be able to trust their healthcare providers and employers to protect their personal information.”

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.