While OCR enforcement activity has focused on a covered entity’s safeguarding of ePHI, organizations cannot forget about PHI in non-electronic form. To settle potential violations of the HIPAA Privacy Rule, Parkview Health System, Inc. (“Parkview”), a nonprofit healthcare system providing community-based healthcare services to individuals in northeast Indiana and northwest Ohio, entered into a resolution agreement with OCR where it agreed to pay $800,000 and adopt a corrective action plan to cure deficiencies in its HIPAA compliance program.
In 2009, a retiring physician filed a complaint with HHS against Parkview alleging that it had violated the Privacy Rule in September 2008 when it received and took custody of medical records pertaining to 5,000 to 8,000 of the retiring physician’s patients in order to transition the records to new providers. Parkview was also considering the possibility of purchasing some of the records. In June 2009, Parkview employees, with notice that the retiring physician was not at home, left 71 cardboard boxes filled with medical records unattended and accessible to unauthorized persons on the driveway of the retiring physician’s home, which was within 20 feet of the public road and a short distance away (four doors down) from a heavily trafficked public shopping venue. Under the Privacy Rule, Parkview, as a covered entity, must appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition. See 45 C.F.R. § 164.530(c).
In addition to the resolution amount, Parkview has agreed to a corrective action plan requiring it to revise its policies and procedures, train staff, and provide an implementation report to OCR.
OCR, in announcing the Parkview Resolution Agreement, also pointed covered entities to its guidance on the disposal of PHI, which can be found here. Recommended disposal of PHI includes:
For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise unable to be reconstructed.
For PHI contained in electronic media, clearing, purging, or destroying the media by degaussing, exposing the media to strong magnetic fields, disintegration, pulverization, melting, incinerating, shredding, etc. See NIST SP 800-88, Guidelines for Media Sanitization.
Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable, and otherwise unable to be reconstructed prior to it being placed in a dumpster or other trash receptacle.
Maintaining PHI for disposal in a secure area and using a reputable disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI (and obtain a certificate of destruction which identifies the PHI disposed).