Parkview Health System Inc. has agreed to pay an $800,000 fine to a federal agency to settle potential privacy violations related to a medical records dump.
The U.S. Department of Health and Human Services’ Office for Civil Rights on Monday said it began an investigation in May 2011 after receiving a complaint from a retiring physician alleging Parkview violated HIPAA – the Health Insurance Portability and Accountability Act.
In June 2009, department officials said 71 cardboard boxes of medical records containing data from up to 8,000 patients were left unattended and accessible in the driveway of Dr. Christine Hamilton, who was not home at the time.
It is unclear whether all the patients were Hamilton’s.
The doctor was transitioning her patients to new providers when Parkview staff dumped the medical records at her home. Parkview would not say why it would not retain the medical records.
“All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk,” said Christina Heide, acting deputy director of health information privacy at the Department of Health and Human Services Office for Civil Rights.
“It is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal,” she said.
In May, New York and Presbyterian Hospital and Columbia University agreed to pay $4.8 million to settle charges that they potentially violated HIPAA rules by failing to secure thousands of patients’ electronic protected health information held on their network.
The monetary payments include the largest HIPAA settlement to date.
New York and Presbyterian Hospital paid $3.3 million and Columbia University paid $1.5 million.
In addition to the $800,000, the Parkview settlement includes a corrective action plan requiring Parkview to revise its policies and procedures, train staff and provide an implementation report to the department.
Eric Clabaugh, public information manager for Parkview, said the hospital system hasn’t taken the episode lightly, but it is important to point out that patient information didn’t fall into the wrong hands.
“Parkview Health takes the privacy of its patients’ medical information very seriously,” he said in an email. “We regret the actions taken when this incident occurred and will work to ensure it does not happen again. The government does not allege that any unauthorized parties viewed any of those records in connection with this.”
Clabaugh said Hamilton was an independent physician and did not work for Parkview. The Journal Gazette could not reach Hamilton on Monday. Clabaugh did not explain why the records were dropped at Hamilton’s home instead of her medical office.
“This was an isolated incident that happened more than five years ago, involving the transition of paper records of a retiring non-Parkview physician,” Clabaugh said. “Parkview Health has a robust and thorough compliance program in place to prevent similar issues from arising in the future.
“Parkview has also implemented a comprehensive electronic health record system since this event occurred that is more secure than a paper record system. Parkview Health will immediately begin implementing a corrective action plan to strengthen our policies and procedures and to provide additional HIPAA training to co-workers.”
Even so, Parkview and hospitals nationwide will have their work cut out for them.
According to the 2014 Data Breach Industry Forecast by Experian, the health care industry is the most susceptible to publicly disclosed medical record breaches.
“The sheer size of the industry makes it vulnerable when you consider that as Americans, we will spend more than $9,210 per capita on health care,” the report stated. “The problem is further (exacerbated) by the fact that many doctors’ offices, clinics and hospitals are not in the data management business and therefore do not have enough resources to safeguard their patients’ health information.”