Indiana-based Parkview Health System (“Parkview”) has agreed to settle potential violations of the HIPAA Privacy Rule with the HHS Office for Civil Rights (“OCR”) by paying $800,000 and adopting a corrective action plan to address deficiencies in its HIPAA compliance program. The resolution agreement can be found here.
According to the HHS press release, the OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule. In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice. On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. It is unclear whether any of these medical records were actually viewed by anyone else.
In addition to the $800,000 payment, Parkview entered into a corrective action plan that requires them to:
- Develop, maintain and revise, as necessary, written policies and procedures addressing requirements of the Privacy Rule and the corrective action plan (“Policies and Procedures”). Specifically these Policies and Procedures must at a “minimum, provide for administrative, physical and technical safeguards (“safeguards”) to protect the privacy of non-electronic PHI to ensure that such PHI is appropriately and reasonably safeguarded from any intentional, unintentional or incidental use or disclosure that is in violation of the Privacy Rule.”
- Provide Policies and Procedures to HHS within 30 days of Resolution Agreement’s Effective Date for HHS’s review and approval.
- Distribute Policies and Procedures to all Parkview workforce members.
- Periodically review the Policies and Procedures and update them to reflect changes in operations at Parkview, federal law, HHS guidance and/or any material compliance issues discovered by Parkview.
- Notify HHS in writing within 30 days if Parkview determines that a workforce member has violated the Policies and Procedures (“Reportable Events”).
- Provide general safeguards training to all workforce members who have access to PHI, as required by the Privacy Rule.
- Provide training on its approved Policies and Procedures to all workforce members.
- Submit to HHS a final report demonstrating Parkview’s compliance with the corrective action plan.
Organizations should pay careful attention to the transfer and disposal of both electronic and paper patient records. The OCR has provided helpful FAQs about HIPAA and the disposal of protected health information. For more information about complying with the HIPAA Privacy Rule, please contact Jefferson Lin or Elana Zana.