Parkview Health System, Inc. (Parkview Health) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Parkview Health will pay $800,000 in a settlement fee and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. Parkview is a nonprofit health care system that provides community-based health care services to individuals in northeast Indiana and northwest Ohio.
In 2009, a retiring Parkview Health physician filed a complaint with HHS about potential HIPAA violations. According to the physician, Parkview Health employees attempted to deliver 71 boxes containing the patient records of 5,000-8,000 of her patients to her home during her transition to retirement. The physician was not at home and so the employees left the boxes unattended in her driveway. The boxes were left 20 feet from the street and her house is nearby a busy shopping plaza, which made the ePHI accessible to any number of unauthorized individuals who passed by.
As a HIPAA covered entity, Parkview Health must appropriately and reasonable safeguard all protected health information in its possession-on-site and during transport to off-site locations. Most likely Parkview Health did have written HIPAA policies and an employee training program in place. We do know that the corrective action plan requires Parkview Health to revise their policies and procedures, train staff, and provide an implementation report to OCR over the course of the next year.
Much of the focus in other recent HIPAA violation settlements and actions has been on the security of e-PHI, with loss or theft of unencrypted mobile devices and storage drives containing ePHI prevailing as a top cause for concern among health IT Security professionals.
However, the valuable lesson that can be learned here is that the safekeeping (and disposal) of paper records remains important. HIPAA requires that organizations implement appropriate physical, technical and administrative safeguards to protect paper PHI. While the HIPAA Privacy and Security Rules do not provide all of the specifics, thorough and appropriate policies will specify safeguards for PHI during transport and storage. Sometimes policies may not anticipate all scenarios which highlights the importance of training of all staff who may have exposure or custody of PHI.
To read full resolution agreement for this case, click here. To read OCR’s FAQs about the disposal of PHI, click here.
