On June 23, 2014, The Department of Health and Human Services (HHS) entered into an $800,000 settlement with Parkview Health System, Inc. (“Parkview”), a nonprofit community health system servicing northeastern Indiana and northwest Ohio for a potential Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule violation arising from its handling of patient records on behalf of a retiring physician.1
The settlement stemmed from an investigation opened by the HHS Office for Civil Rights (“OCR”) on May 16, 2011 in response to a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule. The investigation revealed that Parkview had agreed to take custody of 5,000 to 8,000 patient records which contained protected health information (“PHI”) in paper form while assisting with the transition of the retiring physician’s patients to new providers and while evaluating a possible purchase of a portion of the physician’s practice. When Parkview later tried to return these records to the retiring physician, the physician refused delivery. According to OCR, on June 9, 2009, Parkview employees, with knowledge that the physician was not at home, delivered 71 cardboard boxes of these medical records unattended and accessible to the public on the driveway of the physician’s home. The boxes were left within 20 feet of the public road and a short distance away (four doors down) from a heavily trafficked public shopping venue.
OCR found that, by leaving the records unattended in a publicly accessible area, Parkview failed to to appropriately and reasonably safeguard the PHI throughout the time the PHI was in Parkview’s possession and was maintained by Parkview until the PHI was permissibly transferred or rendered unreadable, unusable or indecipherable to unauthorized persons, as required under HIPAA.2
In addition to the $800,000 payment, the settlement included a corrective action plan requiring Parkview to revise its policies and procedures relating to the privacy of individually identifiable health information, implement additional administrative, physical and technical safeguards to protect the privacy of non-electronic PHI, and conduct additional training for all workforce members. For a period of one year, Parkview is required to report all violations of its HIPAA policies and procedures to HHS within 30 days of such violation.
The Parkview settlement should be seen as a message to covered entities and business associates to review their policies and procedures relating to any PHI in their possession, whether generated in-house or maintained on behalf of others. As Christina Heide, acting deputy director of health information privacy at OCR, stated, “All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk. It is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal.”
Additional guidance from HHS concerning the proper disposal of PHI is available HERE.
1 United States Department of Health and Human Services, Office for Civil Rights and Parkview Health System, Inc. Resolution Agreement (June 23, 2014), http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/hhs-parkview-resolution-cap.pdf
2 See, 45 C.F.R. §164.530(c)