PHI of 10,500 Patients of an Illinois Psychiatrist Exposed
The medical files of more than 10,000 patients of a Naperville, IL-based psychiatrist – Dr. Riaz Baber, M.D. – have been discovered in the basement of an Aurora property by the woman who rented the house from the psychiatrist. The files had been stored in the basement for at least 4 years.
The tenant, Barbara Jarvis-Neavins, was allegedly provided with a key to the basement by the psychiatrist’s wife as access was required when workmen had to visit the property. She was told that she was required to accompany workmen when they needed access.
Jarvis-Neavins said she wanted to report the presence of the files – and that she could access the storage area – but thought that by doing so she would be asked to vacate the property. When she was told that she had to move out as the house was being sold, she contacted law enforcement – including the FBI – and state regulators to report the unsecured files. The FBI referred her to the Department of Health and Human Services’ Office for Civil Rights and she filed a complaint. She also contacted NBC 5.
NBC 5 reporters followed up on the tip-off and covered the story in March 2017. She told reporters boxes of files were stored in the basement and that the files “has [patients] name, their address, their birthdate, their social security number, what’s wrong with them, what they’re being treated for, and what medication.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
NBC 5 reporters visited the property and contacted Dr. Baber. His attorney responded and issued a statement confirming the tenant should not have had access to the basement, that a key was never provided, and that the records were secured and the doors to the basement were locked. The files were allegedly removed from the property the day after NBC 5 contacted Dr. Baber.
On September 28, 2017, the Office for Civil Rights was informed of the breach of 10,500 records of Dr. Riaz Baber. It is unclear why it took 6 months for the breach to be reported when HIPAA Rules require a breach report to be submitted within 60 days of discovery.
Covered entities and their business associates that decide to store physical records such as physicians’ notes, charts, x-ray films, or documents off-site must implement administrative, technical, and physical controls to ensure the confidentiality, integrity, and availability of patients’ protected health information (PHI). Access to the facility must also be restricted to prevent unauthorized individuals from accessing PHI. In this case, some of the files were accessed by Jarvis-Neavins and the reporters, although no harm appears to have been caused to patients.
