The most recent Office for Civil Rights (“OCR”) HIPAA enforcement action serves as an important reminder to health care providers of the security risks associated with a mishandled medical records custody transfer and the risks of leaving paper records in the driveway. The enforcement action and ensuing settlement – an $800,000 fine and corrective action plan – was levied against Parkview Health System, Inc., (“Parkview”) a provider of community-based health care services. In 2008, Parkview took custody of the paper medical records of 5,000 – 8,000 patients in connection with a physician’s retirement and in anticipation of purchasing some of the physician’s practice. In 2009, perhaps after the transaction fell through, although the Parkview Resolution Agreementdoes not specify, Parkview left 71 boxes of these medical records unattended in the driveway of the physician’s home, and, according to OCR, within 20 feet of a public road and a short distance from a heavily trafficked public shopping area.
Medical records custody transfers are extremely common in health care transactions such as asset purchases or sales, or when a health care provider is retiring or leaving a practice. Medical records custody agreements ensure that records are maintained for legally required time periods to facilitate ongoing patient care, payment, audit, and other purposes. Providers should take care to ensure that, in addition to retention and availability, custody arrangements ensure the ongoing security of medical records in any form. Paper records should be secured in accordance with HIPAA standards, for example, stored in locked facility with physical safeguards consistent with HIPAA standards. Storage in a retiring physician’s driveway, abandoned office space, public storage facility, or other unsecured physical location is inconsistent with HIPAA standards. Records in electronic form must be protected in accordance with the HIPAA Security Rule. Both the transferring and the recipient provider should carefully consider technical security measures, who will have electronic access to the records, and how that access will occur. Failure to address these important considerations risks not only a breach but aggressive enforcement by OCR.