$800,000 HIPAA settlement in alleged medical record dumping matter

Parkview Health System, Inc. (PHS) in Indiana has agreed to adopt a corrective action plan (CAP) to address deficiencies in its compliance program and to pay $800,000 to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in settlement of alleged violations of the Health Insurance Portability and Protection Act of 1996 (HIPAA). The alleged breach occurred when medical records of more than 5,000 patients that were in PHS’s custody were left unsecured.

As reported by OCR: “In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice. On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.”

OCR states, in the HHS press release, that “as a covered entity under the HIPAA Privacy Rule, Parkview must appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition.” In addition, Christina Heide, acting deputy director of health information privacy at OCR, warns that “it is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal.”

While the resolution agreement notes that the agreement is neither an admission of liability by PHS nor a concession by HHS that PHS did not violate HIPAA rules, the agreement outlines PHS’s CAP to address the deficiencies identified by OCR as part of its CAP, PHS has agreed to do the following:

• Create policies and procedures regarding provision for administrative, physical and technical safeguards to protect the privacy of non-electronic protected health information (PHI) that is approved by HHS;
• Distribute the HHS approved policies and procedures to the PHS workforce and update existing PHS policies and procedures accordingly;
• Provide general safeguards training to all PHS workforce members who have access to PHI;
• Provide written or electronic evidence of training materials for HHS’ review; and
• Submit a final report to HHS regarding PHS’s compliance with this CAP.

Hospitals are often asked to accept medical records of retiring physicians or medical records from practices that are closing. It is imperative for hospitals to understand that the HIPAA privacy and security rules apply to such records in the hospital’s possession and the hospital needs to treat such records in the same confidential manner as its own records.