Parkview Health System Receives $800K HIPAA Privacy Rule Fine
The financial penalties for violations of HIPAA can be severe, as was discovered by Indiana-based Parkview Healthcare System recently when it was ordered to pay $800,000 in fines as a settlement for violation of the HIPAA Privacy Rule.
The incident for which the fine has been issued dates back to 2009 when a data security complaint was filed by a patient of one if its doctors. The doctor was retiring and received a delivery of 71 boxes of medical files containing up to 8,000 patient records; however the delivery was made and the boxes were left on the doctor’s driveway while he was out of the house. The confidential patient records could have been accessed by any number of individuals as the boxes were left unattended in a “highly trafficked” area for a considerable period of time.
The complaint was made against Parkview Health as it was responsible for the paper records and should have taken greater care to protect the confidentiality of its patients. Acting Deputy Director of Health Information Privacy at OCR, Christina Heide, issued a statement regarding the incident and highlighted the need for HIPAA covered entities to take great care of patient data. She reiterated that it is the responsibility of healthcare organizations and their business associates to ensure that patient records are not left “unattended and accessible to unauthorized persons” and data should be protected at all times. This applies to paper records as well as electronic data and all HIPAA covered entities as well as their business associates must comply with current legislation or face financial penalties.
In addition to the fine the OCR has stipulated that Parkview Health implement a training program to ensure that the staff is made aware of the policies and procedures relating to HIPAA with additional training provided to any individual required to handle PHI.
The number of HIPAA violations is growing and the OCR has now conducted 23 investigations which have resulted in settlements being reached. The OCR has collected over $26 million in fines issued for privacy violations, data breaches and breaches of both HIPAA regulations and patient notification rules. The Office for Civil Rights enforces uses the funds collected to further enforce legislation. These incidents have affected a total of 42 million people whose medical records have been potentially exposed and accessed by unauthorized individuals.