Under the Health Insurance Portability and Accountability Act, state Attorney Generals’ offices are permitted to issue financial penalties to violators of HIPAA Rules, and the Indiana AGs Office has just exercised this right and issued a former Kokomo dentist with its first HIPAA penalty; a fine for the improper disposal of PHI.
Under section 13410(e) of the HITECH Act, Attorney Generals have been able to issue fines for HIPAA violations that affect state residents; however few AG offices have so far held HIPAA-covered entities accountable for data breaches. To date, only three other Attorney Generals’ offices have issued HIPAA financial penalties – Vermont, Connecticut and Massachusetts – with the latter being the most active in this area.
£12,000 Fine for Dumped PHI
The HIPAA breach in question occurred when a former dentist from Kokomo improperly dumped confidential medical records in a community recycling dumpster. 63 boxes of medical files were dumped in a public area – the recycling dumpster of the Olive Branch Christian Church – which included 7,000 individual patient records. Records that are covered under HIPAA Privacy Security Rules. The data included X-rays, medical information, dental records, Social Security numbers, credit card numbers and patient names, addresses and contact phone numbers.
Under HIPAA regulations, all PHI must be securely and permanently erased or rendered unreadable when it is no longer required. The dentist, Joseph Beck, claims to have hired a company to securely erase the data, Just the Connection Inc. The company was allegedly called to collect the files and to ensure they were securely destroyed.
However, after an investigation into the incident by Eyewitness News reporters, it was discovered that the files had been dumped and left in public and unprotected for up to a week. Beck lost his license to practice dentistry in 2011 following allegations made against him for fraudulently billing clients and professional negligence. The files were the last of his records that needed to be disposed of.
Attorney Generals can Issue HIPAA Fines
Each state is permitted to introduce data security laws that offer a greater degree of protection for healthcare records than is required under HIPAA. In Indiana, the Disclosure of Security Breach Act has been introduced, but at the time of the HIPAA breach the Act only covered electronic health records. The definitions have now been changed to include all forms of Protected Health Information. Had this amendment been made prior to this incident, the fine for improper disposal of PHI would have been much greater. Higher fines can be issued to individuals and organizations for breaching data security rules under the Disclosure of Security Breach Act.
The Office for Civil Rights has been increasing the penalties issued to violators of HIPAA Rules in recent months and is policing the legislation much more rigorously. The increase in the number of Attorney General HIPAA fines, along with the OCR HIPAA enforcement actions, should send a strong message to healthcare organizations: If HIPAA rules are not adhered to the organizations or individuals in question will be held financially accountable.