HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of 10,500 Patients of an Illinois Psychiatrist Exposed

The medical files of more than 10,000 patients of a Naperville, IL-based psychiatrist – Dr. Riaz Baber, M.D. – have been discovered in the basement of an Aurora property by the woman who rented the house from the psychiatrist. The files had been stored in the basement for at least 4 years.

The tenant, Barbara Jarvis-Neavins, was allegedly provided with a key to the basement by the psychiatrist’s wife as access was required when workmen had to visit the property. She was told that she was required to accompany workmen when they needed access.

Jarvis-Neavins said she wanted to report the presence of the files – and that she could access the storage area – but thought that by doing so she would be asked to vacate the property. When she was told that she had to move out as the house was being sold, she contacted law enforcement – including the FBI – and state regulators to report the unsecured files. The FBI referred her to the Department of Health and Human Services’ Office for Civil Rights and she filed a complaint. She also contacted NBC 5.

NBC 5 reporters followed up on the tip off and covered the story in March, 2017. She told reporters boxes of files were stored in the basement and that the files “has [patients] name, their address, their birthdate, their social security number, what’s wrong with them, what they’re being treated for, and what medication.”

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

NBC 5 reporters visited the property and contacted Dr. Baber. His attorney responded and issued a statement confirming the tenant should not have had access to the basement, that a key was never provided, and that the records were secured and the doors to the basement were locked. The files were allegedly removed from the property the day after NBC 5 contacted Dr. Baber.

On September 28, 2017, the Office for Civil Rights was informed of the breach of 10,500 records of Dr. Riaz Baber. It is unclear why it took 6 months for the breach to be reported, when HIPAA Rules require a breach report to be submitted within 60 days of discovery.

Covered entities and their business associates that decide to store physical records such as physicians’ notes, charts, x-ray films, or documents off site must implement administrative, technical, and physical controls to ensure the confidentiality, integrity, and availability of patients’ protected health information (PHI). Access to the facility must also be restricted to prevent unauthorized individuals from accessing PHI. In this case, some of the files were accessed by Jarvis-Neavins and the reporters, although no harm appears to have been caused to patients.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.