Update of June 15: My tweets about the situation described below resulted in Iron Mountain’s Twitter team contacting their internal team, who called me. As of yesterday afternoon, the patient records that had supposedly been securely destroyed more than a year ago were finally securely destroyed. I was also told by customer service that the records had not been transferred to Georgia as I thought they had been based on something said to me –that it was only the personnel and processing that got shifted to Georgia in a move. In any event, Iron Mountain obviously screwed this up badly and it probably would have continued that way if one of their employees hadn’t noticed that something was wrong with the account. If there’s any lesson to be learned, it may be that covered entities can’t really rely on the word or assurances of their business associates and we may need to think about how to verify important claims.
This is a difficult post to write because I am furious. As a conscientious solo practitioner trying to properly secure paper format patient records, I used an external service under a business associate agreement (BAA), as described by HIPAA. Eventually, the storage vendor I used was bought out by Iron Mountain, and a new BAA was signed with them.
Last year, I placed a secure destruction work order for cartons of records to be destroyed and also ordered account closure. I found the process extremely frustrating. I was originally told the destruction of records and account closure would all take place within 10 days, which seemed reasonable. But everything after that was anything but reasonable. I was sent multiple requests for different formats for the destruction of records, which I dutifully signed and returned each time. And then I was billed multiple times for the last month’s storage and records destruction.
Eventually, more than one month after everything should have been completed, I received confirmation that the work had been done and my account was closed.
Several months later, I started receiving bills for what I supposedly owed them for the extra storage time. I refused to pay, because the account should have been closed within 10 days in which case there would be no additional storage. Eventually those bills stopped.
In April of this year, I received a bizarre call from Iron Mountain. If I wanted the cartons of records destroyed and my account closed, I would have to send them a destruction order/waiver and pay them.
I told them that the work had all been done and paid for last year and my account was already closed. And that’s when the real outrage started:
It turns out that they never destroyed the cartons of records at all. They moved them all to Georgia and they have reportedly been there since then.
To say I was flabbergasted would be an understatement.
It is now more than one month later and they still haven’t destroyed the records that they had assured me had been destroyed more than one year ago. I told them that I had already given them the work order and waiver last year. Apparently when they moved, they lost all the paper work so they needed it all over again. Then someone else contacted me that they would work up the bill for the destruction fees and account closure. I wrote them back that that was all paid last year.
I am getting bruxism from gritting my teeth.
I sent certified letters to two “leaders” on Iron Mountain’s leadership page:
Raymond C. Fox
Executive Vice President and Chief Risk Officer, andJohn “JT” Tomovcsik
Executive Vice President & Chief Operating Officer
Both letters came back from Iron Mountain’s corporate headquarters marked “Addressee Unknown”
I have sent emails every day to customer support asking why the records still haven’t been destroyed. I get no replies. Today, I used the “submit feedback” form on their website to ask them why the hell they still haven’t destroyed those records securely.
And every day, I will tweet a link to this post until I get results.
If you are a HIPAA- covered entity or someone storing sensitive records, my caution to you is this: do not trust Iron Mountain. And if you do decide to trust them, put something in your contract that they have to video or record themselves destroying your records and send you the video as proof, because obviously, their word or assurances can’t be trusted.