On June 23, 2014, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $800,000 settlement with Parkview Health System, Inc. (“Parkview”) following a complaint involving patient medical records that were dumped by Parkview employees and left unattended on a physician’s driveway.
In 2008, Parkview took custody of hard copy medical records containing protected health information of several thousand patients of a retiring physician. On June 4, 2009, Parkview employees left 71 boxes of patient medical records unattended in the doctor’s driveway even though she was not at home and had refused delivery of the boxes. According to the Resolution Agreement, the boxes were “accessible to unauthorized persons on the driveway of Dr. Hamilton’s home, within 20 feet of the public road and a short distance away (four doors down) from a heavily trafficked public shopping venue.” Less than a week later, the physician filed a complaint against Parkview with HHS for violating the Privacy Rule.
Following Dr. Hamilton’s complaint, the HHS Office for Civil Rights (“OCR”) investigated Parkview. In the resolution agreement, OCR alleged that Parkview County had violated the Privacy Rule provision that requires covered entities to “reasonably safeguard protected health information from any intentional or unintentional use or disclosure” that violates the Privacy Rule. Pursuant to the resolution agreement, Parkview has agreed to pay a $800,000 settlement to HHS. In addition, the Corrective Action Plan attached to the resolution agreement requires Parkview to:
- Develop and maintain written policies and procedures that comply with the Privacy Rule and submit them to HHS for approval;
- following HHS’ approval, distribute those policies to its workforce;
- report any violation of its policies and procedures to HHS in writing within 30 days of such violation; and
- provide HIPAA training to its workforce.
In announcing the resolution agreement, Christina Heide, Acting Deputy Director of the Health Information Privacy Division at OCR, stated that the case demonstrates that “it is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal.”