While enforcement activity by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has focused primarily on a covered entity’s safeguard of electronic protected health information (ePHI), organizations cannot forget about PHI in nonelectronic form. In 2009, a retiring physician filed a complaint with HHS against Parkview Health System, Inc. (Parkview) alleging that Parkview had violated the Privacy Rule in September 2008 when it received and took custody of medical records pertaining to 5,000 – 8,000 of the retiring physician’s patients in order to transition them to new providers. In June 2009, Parkview employees, with notice that the retiring physician was not at home, left 71 cardboard boxes filled with medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, which was within 20 feet of the public road and four doors down from a heavily trafficked public shopping venue. Under the Privacy Rule, Parkview, as a covered entity, must appropriately and reasonably safeguard all PHI in its possession, from the time it is acquired through disposition. See 45 CFR 164.530(c).
To settle potential violations of the HIPAA Privacy Rule, Parkview entered into a resolution agreement with OCR where it agreed to pay $800,000 and adopt a corrective action plan to cure deficiencies in its HIPAA compliance program. The corrective action plan provides that Parkview will revise its policies and procedures, train staff and submit an implementation report to OCR.
- For PHI in paper records, shredding, burning, pulping or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable and otherwise unable to be reconstructed.
- For PHI contained in electronic media, clearing, purging or destroying the media by degaussing, exposing the media to strong magnetic fields, disintegration, pulverization, melting, incinerating, shredding, etc. See NIST SP 800-88, Guidelines for Media Sanitization.
- Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable and otherwise unable to be reconstructed prior to it being placed in a dumpster or other trash receptacle.
- Maintaining PHI for disposal in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.