$800,000 Penalty for Paper Records BreachBoxes of Documents Were Left on a Driveway
An $800,000 HIPAA settlement between the Department of Health and Human Services and an Indiana community health system for an incident involving paper records dumping is the latest reminder that patient information needs to be safeguarded regardless of whether it's electronic or paper-based.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Parkview Health System, a not-for-profit organization serving northeast Indiana and northwest Ohio, agreed to the settlement involving "potential violations" of the HIPAA Privacy Rule as a result of an incident in June 2009 involving the paper medical records of 5,000 to 8,000 patients.
The settlement includes an $800,000 payment by Parkview and a corrective action plan "to address deficiencies in its HIPAA compliance program," according to the HHS Office for Civil Rights.
OCR opened an investigation into Parkview after receiving a complaint from a retiring physician alleging that the provider organization had violated the HIPAA Privacy Rule. In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician with transitioning her patients to new providers and while considering the possibility of purchasing some of the physician's practice, OCR says.
However, on June 4, 2009, Parkview employees, who had been notified that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician's home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue, according to the resolution agreement between OCR and Parkview.
"All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk," says Christina Heide, acting deputy director of health information privacy at OCR. "It is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal."
In a statement provided to Information Security Media Group, Parkview Health System says, "We regret the actions taken when this incident occurred and will work to ensure it does not happen again. This was an isolated incident that happened more than five years ago involving the transition of paper records of a retiring non-Parkview physician."
Parkview Health also notes: "The government does not allege that any unauthorized parties viewed any of those records in connection with this. Parkview Health has a robust and thorough compliance program in place to prevent similar issues from arising in the future. Parkview has also implemented a comprehensive electronic health record system since this event occurred that is more secure than a paper record system. Parkview Health will immediately begin implementing a corrective action plan to strengthen our policies and procedures and to provide additional HIPAA training to co-workers."
Corrective Action Plan
The corrective action plan that Parkview agreed to implement includes:
- Updating and distributing its policies and procedures for workforce members who use or disclose protected health information, including providing for administrative, physical and technical safeguards to protect the privacy of non-electronic PHI;
- Providing safeguards training to all workforce members who have access to PHI, and having each workforce member who is required to attend training certify, in electronic or written form, they received the training;
- Providing HHS with a copy of its PHI-related policies and procedures, and training material for review and approval.
The Parkview case isn't the first time that OCR has issued a hefty financial penalty tied to improper handling of paper documents.
In a 2010 settlement, Rite Aid Corp. agreed to pay a $1 million fine and take corrective action after some of its stores improperly disposed of prescription information in dumpsters. Also, a $2.25 million settlement was reached in a similar case against CVS Caremark in February 2009.
Security and privacy experts say the Parkview case is yet another warning for healthcare entities and business associates - who are now directly liable for HIPAA compliance under the HIPAA Omnibus Rule - to take steps to safeguard PHI - whether it's paper-based or electronic.
"While the focus over the past few years has been on electronic health records, the [HIPAA] requirements equally relate to paper-based records," says Dan Berger, CEO of security consulting firm Redspin. "Policies and protections against improper disposal are very important. Typically the risk is greater when the patient information is concentrated on electronic media. But large numbers of paper records sent to an external shredding company, for example, can also pose a big risk."
Kate Borten, president of security and privacy consulting firm The Marblehead Group, notes: "Although this [incident] occurred five years ago, it is a reminder that every member of the workforce is required to think about what they're doing with patient information - even paper. There is still plenty of paper PHI out there."
In fact, the most recent annual breach report submitted by OCR to Congress revealed that in 2012, paper records were involved in 23 percent of major health data breaches - those affecting 500 or more individuals. That same year, paper records were involved in 61 percent of smaller breaches (see Preventing Breaches: Don't Forget Paper).
Also, earlier this month a breach involving paper records occurred at Access Health CT, the Connecticut state health insurance exchange. On June 6, the exchange operated by Connecticut under the Affordable Care Act revealed that a backpack containing four paper notepads with handwritten information on about 400 consumers was found in a deli not far from the exchange's Hartford call center (see Small Breach, Big Lesson in Backpack).
As for the Parkview incident that led to the $800,000 settlement with OCR, Borten says the penalty shouldn't cause sticker shock, especially considering that OCR has been warning about cracking down on HIPAA enforcement.
"I don't think this amount is excessive. In general, the dollar amount isn't tied to the form of PHI, for example, electronic vs. paper," she says. "In this case boxes of paper records were completely exposed to the public. That's a pretty serious violation of HIPAA."
Workforce awareness and training are key in preventing paper-based breaches, Borten says. "This breach was a failure of common sense."
Properly safeguarding PHI is a deeper issue that must take root at organizations, Berger notes. "The most important thing is to build a culture around the privacy and security of patient information," he says. "It's not just a 'culture of compliance' which sounds a little Draconian. We prefer a 'culture of respect for our patients,' including the privacy of their health information."