Recently the Indiana legislature passed, and Indiana’s governor signed into law, Senate Enrolled Act No. 356 (a/k/a Public Law 84 of Second Regular Session 116th General Assembly 2010), a wide-ranging 71-page bill that, in addition to setting out practices and requirements for barbers, cosmetologists, well pump installers, mental health counselors and numerous other state licensed professions, included legislative modifications to add a new chapter to the Indiana Code entitled Health Records and Identifying Information Protection (the “Act”), IC 4-6-14, effective as of July 1, 2010. The new chapter specifies new duties given to the Indiana Attorney General related to the identification, handling, and ultimate transfer, destruction or delivery of abandoned health and other records containing personal information.
What does the new law address?
The new chapter grants the Indiana’s Attorney General’s Office the power to determine whether a “health care provider” or “regulated professional” – as defined elsewhere in the Indiana Code – has abandoned either health records or other records containing personal identifying information, and if determined to be abandoned to then (ii) take possession of such records and thereafter “store, maintain, transfer and protect” those records before either (iii) delivering the records to the “the patients and those individuals identified” in the records or (iv) destroying them. IC 4-6-15-4. In addition the Attorney General “may adopt rules under IC 4-22-2 [Indiana’s Administrative Rules and Procedures] that are necessary to administer and implement this chapter”, IC 4-6-14-13, but the Act expressly states that “nothing in this chapter shall be construed to create new authority for a subpoena or search warrant,” IC 4-6-14-6(c), and provides “[t]he attorney general may pay for the administration of this chapter only from funds currently appropriated to the office of the attorney general.” IC 4-6-14-15.
Observations: As used by the Act, “Regulated Professional” means “an individual who is regulated by a board listed under IC 25-1-11-1.” IC 4-6-14-4. Under IC 25-1-11-1 the listed boards cover accountants, architects, landscape architects, auctioneers, state athletic commissions, barbers, cosmetologists, land surveyors, those in the funeral and cemetery services, plumbers, real estate appraisers and professional (excluding attorneys), manufactured home installers, home inspectors and massage therapists.
Lastly, for purposes of the new Chapter, a record is “abandoned” when it has been “voluntarily surrendered, relinquished, or disclaimed by the healthcare provider or regulated professional, with no intention of reclaiming or regaining possession.” IC 4-6-14-1.
What kinds of information does the Act regulate?
The Act regulates “health records” and “records or documents that contain personal information.” For purposes of the Act, “personal information has the meaning set forth in IC 24-4.9-2-10,” where PI is defined as “(1) a Social Security number that is not encrypted or redacted; or (2) an individual’s first and last names, or first initial and last name, and one (1) or more of the following data elements that are not encrypted or redacted: (A) a driver’s license number; (B) a state identification card number; (C) a credit card number; [or] (D) a financial account number or debit card number in combination with a security code, password, or access code that would permit access to the person’s account.” This definition of PI is provided by Indiana’s data breach notification statute.
Observations: The Act does not define what specifically qualifies as a “health record”. However, it does define “health care provider”, referencing IC 16-39-7-1, as someone who is either a physician, dentist, registered nurse, licensed practical nurse, optometrist, podiatrist, chiropractor, physical therapist, psychologist, audiologist and speech-language pathologist. IC 4-6-14-2. As a result, any of the records maintained by the preceding list that deal with health information of individuals would arguably be a “health record.
What is the Attorney General empowered to do with the records?
Once records that fall within the scope of the Act are identified by the Attorney General’s Office, it “may” take possession of them and thereafter “store, maintain, transfer, protect” and “destroy” (as provided in IC 4-6-14-8(b) and 9(b)) the records. A determination that records coming within the Act are abandoned is subject to judicial review by an Indiana circuit or superior court, provided anyone seeking to challenge a designation of abandonment “musty notify the attorney general of the intention to seek judicial review.” IC 4-6-14-14.
Observations: Despite this new duty, the Attorney General is fully immunized under the Act “from civil liability for destroying or failing to maintain the custody and control of any record obtained under this chapter.” IC 4-6-14-11.
Individuals or their representatives may inquire directly with the Attorney General’s office to learn if any abandoned records containing their PI are being held by downloading an Abandoned Records Request Form, or by calling the Attorney General’s Consumer Protection Division at (800) 382-5516 to request a form be mailed. In addition, the Attorney General maintains a web-page listing from whom or what entity abandoned records have been collected to date: http://www.in.gov/attorneygeneral/2808.htm. All individual’s names are kept confidential.
What notification is the Attorney General required to give under the Act?
The Act specifies that the Attorney General “make reasonable efforts” to notify those patients and individuals whose records the Attorney General has assumed possession of.
Any notice given “must” include, pursuant to IC 4-6-14-7(a), information about how to either obtain originals or copies of one’s records or how to have them sent to a “duly authorized subsequent treating health care provider.” Further, in an effort to help locate those whose records are brought into protective custody by the Attorney General, the AG’s office is expressly allowed “unless prohibited by law” to notify “other persons, including professional organizations, hospitals, law enforcement agencies, and government units” that “may be able to assist in notifying persons whose records were abandoned ….” IC 4-6-14-7.
How long will the Attorney General maintain records before destruction?
The Attorney General’s duty to maintain the records is not unlimited, and any records taken into custody under the Act may be destroyed at the earlier of either three years from the date when the records where secured or “the time required under IC 16-39-7-1 [Maintenance of health records by providers (seven years)] and IC 16-39-7-2 [Maintenance of x-rays by providers; mammograms; (five years)].” IC 4-6-14-8 & 9.
What penalties exist under the Act?
There are no actual penalties for abandoning records under the Act. However, the Act establishes a standalone sequestered “health records and personal identifying information protection trust fund” to pay for the storage, maintenance, transfer and destruction of records that come within the Act. IC 4-6-14-10. Any health care provider or regulated professional that is independently disciplined under other parts of the Indiana Code must now also pay a fee of $5 into the fund.