Fort Wayne, Ind.-based Parkview Health System has agreed to settle potential HIPAA privacy rule violations with the Department of Health and Human Services Office for Civil Rights by paying $800,000 and adopting a corrective action plan to address deficiencies in its compliance program.

According to a resolution agreement, the corrective action plan requires Parkview to revise its policies and procedures, train staff, and provide an implementation report to OCR, which opened an investigation of Parkview after receiving a complaint from a retiring physician.

The allegations against Parkview, a nonprofit health system that provides community-based healthcare services in northeast Indiana and northwest Ohio, date back to September 2008 when the provider took custody of medical records for 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice.

Specifically, on June 4, 2009, Parkview employees--with notice that the physician was not at home--left 71 cardboard boxes of these medical records “unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue,” states the resolution agreement.

In a written statement, OCR states that as a covered entity under the HIPAA Privacy Rule “Parkview must appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition.” Christina Heide, acting deputy director of health information privacy at OCR, warns that “it is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal.”

The resolution agreement emphasizes that the HIPAA settlement is not an admission of liability by Parkview. In addition, the agreement “is not a concession by HHS that Parkview is not in violation of the Privacy Rule and not liable for civil money penalties.”

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access