Retired physician discovers HIPAA Privacy Rule Violation in front of his garage
It’s a sunny day in Indiana. A physician comes home to see a bunch of boxes in his driveway. On inspection, he discovers they’re his own patients’ records, dropped off by his former employer.
The physician, who had recently retired from Parkview Health System of Fort Wayne, Indiana, came home to 71 boxes of patient medical records, left unattended in his driveway, after being delivered by Parkview Health, a violation of the HIPAA Privacy Rule.
The HIPAA Privacy Rule makes it illegal for health care providers (covered entities) and those who serve them (business associates) to disclose protected health information to unauthorized people.
Privacy Rule Breach Compromises Thousands of Records
The medical records dump, as described by the Department of Health and Human Services, compromised the privacy of 5,000 to 8,000 patients.
The physician complained to the Office for Civil Rights (OCR) that Parkview Health had dropped off the unsecured documents in a “highly trafficked” location at a time when they knew the intended recipient was not home to accept the records.
Regulator says Privacy Rule Breaches happen “all too often”
Apparently, it wasn’t the first time health care businesses have mismanaged private patient records. “All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk,” said Christina Heyde, then acting deputy director of health information privacy at OCR.
Parkview Health System agreed to pay $800,000 to settle the HIPAA Privacy Rule violation.