$800,000 HIPAA Settlement: Another Reminder to Safeguard and Properly Transfer or Dispose of Patient Records
On June 23, 2014, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a settlement with Parkview Health System, Inc., a nonprofit health care system serving parts of Indiana and Ohio, for violations of the HIPAA Privacy Rule. Parkview agreed to pay $800,000 and adopt a corrective action plan to review and revise its compliance policies and procedures, train staff and provide an implementation report to OCR.
A retiring physician filed the underlying complaint with OCR, alleging that Parkview failed to properly dispose of patient medical records. In the course of its investigation, OCR found that Parkview took custody of the paper medical records of 5,000 to 8,000 of the physician’s patients, while assisting with the transition of patients to new providers in anticipation of the physician’s retirement and evaluating the possibility of purchasing some of the patient records. In June 2009, Parkview employees left 71 cardboard boxes of medical records on the physician’s driveway, after receiving notice that the physician had refused delivery and was not at home. Although there was no evidence that any unauthorized individuals viewed patient information in connection with the incident, the medical records were unattended and accessible when placed in the driveway, 20 feet from a public road and a short distance from a shopping center.
Under the HIPAA Privacy Rule, a covered entity is required to “reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.” 45 C.F.R. § 164.530(c)(2). Accordingly, covered entities must take action to avoid prohibited use and disclosure of PHI, including when transferring or disposing of medical records or other items containing PHI. In addition, the Security Rule requires covered entities to implement policies and procedures to address the disposition of electronic PHI and removal of PHI from hardware or software in preparation for re-use. 45 CFR 164.310(d)(2).
While Parkview presumably was not attempting to dispose of the records in the traditional sense, OCR nevertheless viewed their actions as “dumping” in violation of HIPAA. OCR has made clear that providers cannot leave PHI in dumpsters or other containers accessible to unauthorized individuals, unless the PHI has been rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed. In determining the proper disposal method, OCR recommends assessing the potential risks to patient privacy, and the form, type, and amount of PHI at issue. In addition, covered entities may hire business associates to dispose of PHI, so long as the parties enter into an agreement requiring the business associate to safeguard the PHI through disposal. OCR provides additional guidance on disposing of PHI in a FAQ available here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.
We have seen cases where a covered provider, through various circumstances, comes into possession of records of another provider. This settlement is a reminder that the covered entity is advised to apply HIPAA safeguards to those records until another provider takes lawful custody of the records through an appropriate transfer or a proper disposal is made. Covered entities must continuously secure patient records in their custody and ensure that any transfer or disposal of PHI is done in a manner that protects patient privacy.