A: With all the focus on keeping electronic records secure, a lot of paper records still exist. In this instance, the patient or his or her legal representative may have dropped the paperwork by accident. Or, more ominously, a staff member could have dropped them.
You should certainly do whatever you can to investigate how the records got to the parking lot and look into who might have seen them. When you have completed your investigation, you will be able to determine whether the incident is likely to cause harm to the patient. If you conclude that no harm was done, you do not have to report the incident to the patient or to HHS. That said, it is always wise to be as transparent as possible, and this would include notifying the patient.
In addition, it would be appropriate to remind your staff members that they should not take PHI out of the building. If you determine that someone removed the information for a legitimate purpose, you may want to purchase lockable bags for those who must transport PHI.