D’oh! OCR Confirms that Medical Records Should Not be Left in the Driveway

The most recent Office for Civil Rights (“OCR”) HIPAA enforcement action serves as an important reminder to health care providers of the security risks associated with a mishandled medical records custody transfer and the risks of leaving paper records in the driveway.  The enforcement action and ensuing settlement – an $800,000 fine and corrective action plan – was levied against Parkview Health System, Inc., (“Parkview”) a provider of community-based health care services.  In 2008, Parkview took custody of the paper medical records of 5,000 – 8,000 patients in connection with a physician’s retirement and in anticipation of purchasing some of the physician’s practice.  In 2009, perhaps after the transaction fell through, although the Parkview Resolution Agreementdoes not specify, Parkview left 71 boxes of these medical records unattended in the driveway of the physician’s home, and, according to OCR, within 20 feet of a public road and a short distance from a heavily trafficked public shopping area.

Medical records custody transfers are extremely common in health care transactions such as asset purchases or sales, or when a health care provider is retiring or leaving a practice.  Medical records custody agreements ensure that records are maintained for legally required time periods to facilitate ongoing patient care, payment, audit, and other purposes.  Providers should take care to ensure that, in addition to retention and availability, custody arrangements ensure the ongoing security of medical records in any form.  Paper records should be secured in accordance with HIPAA standards, for example, stored in locked facility with physical safeguards consistent with HIPAA standards.  Storage in a retiring physician’s driveway, abandoned office space, public storage facility, or other unsecured physical location is inconsistent with HIPAA standards.  Records in electronic form must be protected in accordance with the HIPAA Security Rule.  Both the transferring and the recipient provider should carefully consider technical security measures, who will have electronic access to the records, and how that access will occur.  Failure to address these important considerations risks not only a breach but aggressive enforcement by OCR.

 


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz Levin - Privacy & Security Matters | Attorney Advertising

Written by:

more+
less-

Mintz Levin - Privacy & Security Matters on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
×
Loading...
×
×