In May 2023, local journalists reported two separate instances of improper document disposal in San Antonio. The first one saw stacks of papers littering the highway, while the second one involved a document dump under a bridge. These occurrences happened just days apart and only 2 miles away. 

Both, however, involved documents from the same facility. Eye witnesses say the documents  came from the same facility and featured hundreds of pages of medical information, including patient names, social security numbers, addresses, prescriptions, and treatment plans. 

The reports raised immediate concerns about identity theft and regulatory violations. This shocking discovery highlights the critical importance of proper medical document disposal, and the incidents serve as a stark reminder of the severe consequences healthcare facilities face when they fail to properly handle and dispose of confidential patient information.

Why This is Serious

The medical information contained in those papers qualify as protected health information (PHI). Under the Health Insurance Portability and Accountability Act (HIPAA) rules, covered entities and their business associates must apply appropriate administrative, technical and physical safeguards to protect PHI, including, and perhaps most especially, when they dispose of it. 

Simply tossing records where the public can access them is expressly discouraged by Health and Human Services(HHS)/Office for Civil Rights (OCR) guidance. 

What the Law and HHS Say About Disposal

HHS/OCR FAQ guidance makes four simple points:

1. Covered entities must use reasonable safeguards when disposing of PHI.
2. PHI should not be abandoned in dumpsters or other containers accessible to the public or other unauthorized persons.
3. Acceptable disposal methods include shredding, burning, pulping, or pulverizing, which render information unreadable and unrecoverable.
4. Organizations should document policies and train staff.

The Staggering Cost of HIPAA Violations

A single public dump of medical records can trigger OCR investigations and state enforcement, costly settlements or fines, potential criminal referrals (in egregious cases), and damage to reputation, not to mention the harm to patients.

What Penalties and Enforcement Look Like 

When healthcare facilities fail to properly dispose of medical records, they face severe financial and legal consequences under HIPAA. The penalties for improper disposal of medical records are substantial and can devastate a practice financially.

HIPAA Civil and Criminal Penalties

• Civil money penalties: The HHS Office for Civil Rights (OCR) enforces HIPAA and can impose civil monetary penalties that vary based on culpability. The penalty structure has tiers (from lack of knowledge up to willful neglect), with per-violation minimums and maximums adjusted for inflation. Recent guidance and updates show per-violation minimums beginning in the low hundreds and maximums reaching into the millions as well as very large annual caps for severe/uncorrected violations. 
• Criminal penalties: For wrongful or intentional misuse of PHI, the Department of Justice can pursue criminal charges. Penalties range from fines and one year in prison for knowingly obtaining or disclosing PHI up to up to much larger fines and up to 5–10 years in prison for violations involving false pretenses or intent to sell/use PHI for personal gain.

Texas State Law

• Texas Medical Records Privacy Act (Texas Health & Safety Code Chapter 181) provides state-level enforcement in addition to HIPAA. Civil penalties under Texas law can include per-violation fines and the state attorney general can pursue injunctive relief, and courts may assess larger penalties (into the tens or hundreds of thousands) when violations form a pattern or practice. State licensing boards (for physicians, nursing homes, etc.) can also take disciplinary action, including fines, sanctions or license consequences. 

Erosion of Public Trust 

The most immediate consequence of such a public breach is not a regulatory fine but a complete erosion of public trust. 

Going back to the San Antonio incidents, the moment news broke, the damage was done. The media report itself acted as the initial penalty, broadcasting to the community that a healthcare provider had failed in its most basic fiduciary duty. When patients see that a medical practice has discarded their most personal information in a public space, they lose confidence in the provider’s ability to safeguard their health data. 

This loss of trust can have a more severe and long-lasting impact than any civil penalty, leading to patient attrition and irreparable reputational damage. The resulting loss of revenue and brand equity often far outweighs the cost of the initial fines. The initial act of improper disposal triggers a cascade of negative outcomes that can cripple a practice’s long-term viability.

Best Practices for Medical Record Disposal

To avoid the severe consequences mentioned above, healthcare facilities should implement comprehensive document disposal protocols. 

• Secure destruction: All physical documents containing protected health information must be shredded or destroyed in a manner that makes them unreadable and unreconstructible.

• Digital data destruction: Electronic records require proper digital destruction methods to ensure data cannot be recovered.

• Chain of custody: Maintain detailed records of all documents being disposed of and the destruction process.

• Employee training: Ensure all staff understand the importance of proper document handling and disposal procedures.

• Third-party verification: Work with certified document destruction services, such as Marshall Shredding, which provide Certificates of Destruction and comply with federal regulations.

The Marshall Shredding Difference: A Local Solution for Local Professionals

For practices in San Antonio and the surrounding areas, a local solution exists that embodies the highest standards of security and compliance. Marshall Shredding provides professional document destruction services that directly address the vulnerabilities exposed by the recent incident.

Marshall Shredding is a NAID AAA certified company, which means it adheres to the gold standard of data destruction. Our professional shredding services provide several critical benefits:

• HIPAA compliance: We understand the specific requirements for medical record disposal and ensure full compliance with federal regulations.

• Risk mitigation: Our professional services eliminate the risk of human error in the disposal process, which reduces the likelihood of violations and penalties.

• Documentation: Proper destruction services provide Certificates of Destruction that serve as a verifiable legal record of compliance in case of audits or investigations. 

• Flexible Support: Regular scheduled pickups and destruction services ensure that document disposal becomes a systematic part of healthcare operations rather than an afterthought. We also offer one-time cleanouts as well as on-site mobile shredding, where you can witness the destruction of your documents firsthand. 

If you handle PHI, outsourcing to a certified shredding partner is one of the fastest, most defensible ways to reduce risk. Marshall Shredding can help you protect patients, avoid fines, and prove compliance. 

Prevention is Better Than Penalties

The San Antonio incidents are not merely news stories; they serve as profound warnings. The improper disposal of medical records is a grave form of negligence that carries severe consequences, from devastating fines and criminal charges to the irreversible loss of patient trust and professional reputation. 

Secure document destruction is no longer an optional measure. It is a legal and ethical obligation. To protect your facility, practice, patients, and professional standing, you must act now. 

Contact Marshall Shredding today to learn about our HIPAA-compliant, NAID AAA-certified services. Secure your legacy. Secure your patients’ privacy. Contact us for  a free quote and take the first step toward true data security.