Parkview Health Pays $800K in Medical Records Dumping Case
Fort Wayne, Ind.-based Parkview Health System has agreed to settle potential HIPAA privacy rule violations by paying $800,000 and adopting a corrective action plan to address deficiencies in its compliance program.
Fort Wayne, Ind.-based Parkview Health System has agreed to settle potential HIPAA privacy rule violations with the Department of Health and Human Services Office for Civil Rights by paying $800,000 and adopting a corrective action plan to address deficiencies in its compliance program.
According to a resolution agreement, the corrective action plan requires Parkview to revise its policies and procedures, train staff, and provide an implementation report to OCR, which opened an investigation of Parkview after receiving a complaint from a retiring physician.
The allegations against Parkview, a nonprofit health system that provides community-based healthcare services in northeast Indiana and northwest Ohio, date back to September 2008 when the provider took custody of medical records for 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physicians practice.
Specifically, on June 4, 2009, Parkview employees--with notice that the physician was not at home--left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physicians home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue, states the resolution agreement.
In a written statement, OCR states that as a covered entity under the HIPAA Privacy Rule Parkview must appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition. Christina Heide, acting deputy director of health information privacy at OCR, warns that it is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal.
The resolution agreement emphasizes that the HIPAA settlement is not an admission of liability by Parkview. In addition, the agreement is not a concession by HHS that Parkview is not in violation of the Privacy Rule and not liable for civil money penalties.
According to a resolution agreement, the corrective action plan requires Parkview to revise its policies and procedures, train staff, and provide an implementation report to OCR, which opened an investigation of Parkview after receiving a complaint from a retiring physician.
The allegations against Parkview, a nonprofit health system that provides community-based healthcare services in northeast Indiana and northwest Ohio, date back to September 2008 when the provider took custody of medical records for 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physicians practice.
Specifically, on June 4, 2009, Parkview employees--with notice that the physician was not at home--left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physicians home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue, states the resolution agreement.
In a written statement, OCR states that as a covered entity under the HIPAA Privacy Rule Parkview must appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition. Christina Heide, acting deputy director of health information privacy at OCR, warns that it is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal.
The resolution agreement emphasizes that the HIPAA settlement is not an admission of liability by Parkview. In addition, the agreement is not a concession by HHS that Parkview is not in violation of the Privacy Rule and not liable for civil money penalties.