$800,000 HIPAA Settlement Related to Disposal of Medical Records

On June 23, 2014, the Department of Health and Human Services Office for Civil Rights (OCR) announced an $800,000 settlement with Parkview Health System, Inc. in connection with potential HIPAA violations. According to the OCR press release, Parkview agreed to pay $800,000 and adopt a corrective action plan to address deficiencies in its HIPAA compliance program.

OCR indicated it opened an investigation after receiving a complaint from a retiring physician alleging violations of the HIPAA Privacy Rule. The press release indicates that Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients in September 2008 while assisting the retiring physician with the transfer of her patients to new providers and while considering the potential purchase of some of the physician’s practice. On June 4, 2009, Parkview employees allegedly left 71 cardboard boxes filled with these medical records on the physician’s driveway with notice that the physician was not home at the time. The medical records were unattended and accessible to unknown individuals.  Parkview, a covered entity under the HIPAA Privacy Rule, is required to appropriately and reasonably safeguard all protected health information (PHI) in its possession. Parkview reportedly cooperated with OCR during the investigation and has agreed to adopt a corrective action plan that requires Parkview to revise its HIPAA policies and procedures, train staff and provide an implementation report to OCR.

This settlement should serve as an important reminder to HIPAA covered entities and business associates regarding the importance of the proper disposal of PHI. OCR’s Deputy Director of Health Information Privacy Christina Heide noted that “all too often [OCR] receive[s] complaints of records being discarded or transferred in a manner that puts patient information at risk.” Covered entities and business associates are required to protect patient information from the time it is acquired, during its transfer and in connection with its disposal. While the HIPAA Privacy and Security Rules do not require a specific method of disposal, OCR has issued helpful guidance regarding the proper disposal of PHI. In addition to implementing reasonable safeguards to limit incidental and avoid prohibited uses and disclosures of PHI and policies and procedures addressing the final disposition of electronic PHI, HIPAA also requires that cover entities ensure their workforce members receive training on proper disposal procedures.

Speak Your Mind