‘Unique’ HIPAA Violation Results in $800,000 Settlement

June 26, 2014 – In The News

Elizabeth G. Litten was quoted in the DataGuidance article, "‘Unique’ HIPAA Violation Results in $800,000 Settlement." Full text can be found in the June 26, 2014, issue, but a synopsis is noted below.

The U.S. Department of Health and Human Services (HHS) announced a nonprofit health provider has agreed to pay $800,000 and enforce a corrective action plan to address its HIPAA compliance issues.

"The fact that Parkview left such a large volume of medical records in an unsecured location suggests that Parkview acted with 'willful neglect' as defined by the HIPAA regulations," said Elizabeth Litten. "Although the resolution amount of $800,000 seems high given the fact that the records were, apparently, intended to be transferred from one covered entity to another, the circumstances suggest that Parkview was intentionally or recklessly indifferent to its obligation to secure the records. Second, the incident underscores the risks attendant to paper records. A majority of large breaches involve electronic records, but paper PHI is also vulnerable to breach and covered entities and business associates need to realize that large fines and penalties are also likely to be imposed for failure to secure PHI contained in paper form."

"While the resolution agreement does not provide very much information as to the events leading up to the 'driveway dumping' event, its recitation of the facts raises the possibility that Parkview may not have had proper authorization to hold the records in the first place,” Litten said. “Parkview 'received and took control' of the records of 5,000 to 8,000 of the physician’s patients in September of 2008, because it was 'assisting' the physician with transitioning the patients to new providers and was 'considering the possibility of purchasing' the records from the physician, who was retiring and closing her practice. The 'driveway dumping' did not occur until June of 2009. It is not clear from the resolution agreement when the physician retired, whether Parkview ever treated the patients, and/or whether Parkview was otherwise appropriately authorized under HIPAA to receive, control and hold the records for this 10-month period."