Health System Pays $800,000 Fine for Leaving PHI in Doctor’s Driveway

more+
less-
more+
less-

While enforcement activity by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has focused primarily on a covered entity’s safeguard of electronic protected health information (ePHI), organizations cannot forget about PHI in nonelectronic form. In 2009, a retiring physician filed a complaint with HHS against Parkview Health System, Inc. (Parkview) alleging that Parkview had violated the Privacy Rule in September 2008 when it received and took custody of medical records pertaining to 5,000 – 8,000 of the retiring physician’s patients in order to transition them to new providers. In June 2009, Parkview employees, with notice that the retiring physician was not at home, left 71 cardboard boxes filled with medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, which was within 20 feet of the public road and four doors down from a heavily trafficked public shopping venue. Under the Privacy Rule, Parkview, as a covered entity, must appropriately and reasonably safeguard all PHI in its possession, from the time it is acquired through disposition. See 45 CFR 164.530(c).

To settle potential violations of the HIPAA Privacy Rule, Parkview entered into a resolution agreement with OCR where it agreed to pay $800,000 and adopt a corrective action plan to cure deficiencies in its HIPAA compliance program. The corrective action plan provides that Parkview will revise its policies and procedures, train staff and submit an implementation report to OCR.

In its announcement of the resolution agreement with Parkview, OCR directed covered entities to its guidance on recommended safeguards for the disposal of PHI, which may include:

  • For PHI in paper records, shredding, burning, pulping or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable and otherwise unable to be reconstructed.
  • For PHI contained in electronic media, clearing, purging or destroying the media by degaussing, exposing the media to strong magnetic fields, disintegration, pulverization, melting, incinerating, shredding, etc. See NIST SP 800-88, Guidelines for Media Sanitization.
  • Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable and otherwise unable to be reconstructed prior to it being placed in a dumpster or other trash receptacle.
  • Maintaining PHI for disposal in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.

 

 

Topics:  Enforcement, HHS, HIPAA, Medical Records, OCR, PHI

Published In: Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »