HIPAA Settlement Reached for Dumpster PHI Exposure
Under Health Insurance Portability and Accountability Act (HIPAA) data privacy and security rules, Protected Health Information (PHI) must be secured at all times and when data is no longer required it must be destroyed to prevent accidental exposure.
In May 2013, Midwest Women’s Healthcare Specialists disposed of a number of medical records of patients; however the files were placed in an open dumpster. While the material was destined to be destroyed, unauthorized individuals could have easily gained access to the information.
The HIPAA violation would perhaps not have been identified had it not been a particularly windy day. However, the some of the paper PHI records were blown from the dumpster up the street and the medical records were dispersed over an area of several blocks.
The data included in the files and notes included personal identifiable information, addresses, diagnoses, treatment details and test results. Many of the records also detailed the patient’s Social Security numbers. In total, the records of 1,532 female patients from Missouri were potentially exposed by this HIPAA violation.
Following on from this reported HIPAA breach, attorneys for the victims filed a lawsuit and a settlement of $400,000 has now been reached between the plaintiffs and Midwest Women’s Healthcare Specialists. The money is due to be paid into a victims’ fund to help all those affected, although the case will need to go before a Judge in January 2015 before the settlement is approved.
As part of the agreement, Midwest Women’s Healthcare Specialists will be providing each of the victims with free credit monitoring services for two years and the healthcare center will embark upon a program of HIPAA training to ensure that all of the staff is made aware of data security and privacy laws, and trained on the correct procedures for handling PHI.
The response to the security breach was rapid and prompt action was taken to limit the damage caused. The settlement was agreed to ensure the victims are not made to suffer financially as a result of the medical center’s error.
An apology has been issued and staff at the center has reassured patients and the general public that the error was an isolated incident and the privacy of patients at the center is treated very seriously. In a recent statement, a spokesperson for the center announced that “We are pleased to have reached an agreement that is satisfactory to all parties”, although while the compensation amount has been agreed, it does not mean that the matter is finally resolved.
The Department for Health and Human Services’ Office for Civil Rights is conducting an investigation into the security breach and has not yet arrived at any conclusions. The steps taken to mitigate the damage caused and the payment of compensation to the victims may sway the OCR, although stiff fines can still be imposed for the HIPAA violation. Potentially the center could face fines of up to $1.5 million for the HIPAA violation, with each instance of disclosure of PHI carrying a financial penalty of between $100 and $50,000.