Indiana Attorney General Issues $12,000 HIPAA Fine for Dumped PHI

The Indiana Attorney General’s Office has issued its first fine for Health Insurance Portability and Accountability Act violations pursuant to section 13410(e) of the HITECH Act.

The fine of $12,000 was issued to former Kokomo dentist, Joseph Beck, for illegally disposing of the Protected Health Information of his patients. 63 boxes of personal records containing an estimated 7,000 files were discovered in an Olive Branch Christian Church recycling dumpster in March 2013.

Beck had hired a data company called Just the Connection Inc., to securely destroy the paper records of his former patients; however the files were discovered during an investigation by Eyewitness News in March 2013 and are believed to have been in the dumpster for up to a week.

The investigative team viewed the records to determine their contents and discovered names, addresses, phone numbers, medical diagnoses, x-rays, dental information, Social Security and credit card numbers were all contained in the files. The patients affected had previously visited the Comfort Dental offices in Kokomo or Marion between 2002 and 2007. The files were handed to the Attorney General’s office which fielded questions from concerned patients; although no cases of identity theft have been reported.

While the healthcare industry appears to be focused on protecting electronic health records of patients, Indiana Attorney General, Greg Zoeller, reminded healthcare providers that HIPAA also covers hard copies of medical files and that they too must be properly protected.

In a press release he said, “In an era when online data breaches are top of mind, we may forget that hard-copy paper files, especially in a medical context, can contain highly sensitive information that is ripe for identity theft or other crimes.”

Indiana’s Disclosure of Security Breach Act only covers electronic health records, although legislation has been proposed to expand the law to cover all paper medical records and increase the fines which can be applied to individuals and organizations that fail to take the appropriate measures to protect patient health data. The new legislation also applies to data collectors; not just the individual or organization which owns the data.

Beck stopped practicing dentistry in 2011 when the Indiana Board of Dentistry permanently revoked his license after the Attorney General’s office discovered evidence of negligence and fraudulent billing. The latest action could have been more severe; the fine issued was considerably lower than it could have been had the new legislation been active during the case and Just the Connection Inc., would also have been held liable for the data breach.

The Attorney General is sending a message to all physicians and healthcare providers that it will not tolerate willful privacy and security breaches and will be taking action against individuals and organizations who violate the rules. “It’s really the responsibility of any physician or any professional to safeguard the records they maintain,” Zoeller told Indiana’s WTHR News.

In spite of having the power to do so, only three Attorney Generals Offices – Vermont, Connecticut & Massachusetts – have issued fines for HIPAA violations to date, and this is the first time an AG’s Office outside of New England has exercised the right to enforce HIPPA rules and regulations.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.