Group hit with $800K HIPAA bill
As myriad healthcare organizations have attested, the aftermath of a HIPAA violation generally isn't a pretty sight, especially when it comes to one's bank account. One Indiana-based health system has witnessed this reality after being slapped with an $800,000 settlement for violating the HIPAA Privacy Rule.
The six-hospital Parkview Health System in Fort Wayne, Ind., will pay $800,000 to the Office for Civil Rights, the HHS division responsible for enforcing HIPAA, in a settlement that stemmed from a 2009 complaint filed with OCR from a then retiring Parkview Health physician.
The complaint alleged that Parkview Health, which assumed responsibility of between 5,000 and 8,000 paper medical records of the physician's patients, unloaded 71 boxes containing these records in the doctor's driveway while she was away. According to the complaint, the medical records were "unattended and accessible to unauthorized persons" on the physician's driveway, located in a "heavily trafficked" area.
"All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk," said Christina Heide, acting deputy director of health information privacy at OCR, in a June 23 press statement announcing the settlement. "It is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal."
As part of the settlement, OCR is requiring that Parkview Health develop, implement and distribute policies and procedures surrounding how employees are required by law to protect patients' health information. Moreover, Parkview Health must also provide all employees who handle protected health information with additional training on safeguarding patient data.
OCR set records this May after announcing its largest monetary settlement to date. New York-Presbyterian Hospital and Columbia University Medical Center together agreed to hand over a whopping $4.8 million to settle alleged HIPAA violations after the electronic protected health information of 6,800 patients wound up on Google back in 2010.
To date, OCR has levied nearly $26 million in monetary settlements against 23 HIPAA-covered entities found to have violated privacy, security and breach notification rules. More than 42 million people have had their protected health information compromised in these breaches.
Ultimately, seeing as the OCR has received some 100,000 HIPAA complaints since 2003, enforcement proves a "very small percentage of the work that we do," commented Iliana Peters, OCR's senior advisor for HIPAA compliance and enforcement, speaking at the HIMSS Media/Healthcare IT News Privacy and Security Forum in June. However, that's no green light to continue shirking one's privacy and security obligations. "It's a very important part of the work that we do," she added.
Peters, who discussed the go-live date of the Phase 2 HIPAA audits slated for end-of-year, also touched upon the importance of creating a culture of compliance. In addressing the attentively listening forum attendees – comprised chiefly of information security, privacy and compliance officers – she said the difficult piece pertains to "convincing up the chain, the people who don't necessarily deal with the data every day," she said. "If that message comes from the top and is heard at every level on the way down, then that is in our experience a really compliant organization."
Gerry Hinkley, partner at Pillsbury Winthrop Shaw Pittman's healthcare practice and chair of the HIMSS Legal Task Force, who also spoke at the forum, had a client who experienced a similar incident to that of Parkview Health.
This breach involved records from a hospital emergency department that should have been shredded ending up in a dumpster in front of the hospital.
"It was a windy day. Security forgot to put a lid on the dumpster. The records are down the street," Hinkley recounted. Ultimately, school children nearby ended up collecting the records and returned them to the hospital.
"The security guard said, 'not my job,'" said Hinkley. "How could someone seeing papers (flying about) not think, 'Gee, is that something I should think about?'"
The incident could well serve as the poster child for inadequate employee training, added Hinkley. The key is to "have it be owned by everybody from the first person the patient sees to the last one they see and everybody that touches their data in between."