Parkview Health Ordered to Pay Fine for Violating the HIPAA Privacy Rule
Parkview Health, an Indiana-based Healthcare System, has recently been ordered to pay the Department of Health and Human Services’ Office for Civil Rights (OCR) $800,000 as a fine for violating the HIPAA Privacy Rule.
When the OCR discovers HIPAA compliance violations, such as during the investigations that follow a data breach, it can take a number of years before settlements are reached. In this case, the incident that resulted in Parkview Health´s fine for violating the HIPAA Privacy Rule occurred in 2009.
The HIPAA breach was discovered by a doctor who filed a report when he received a delivery of 71 boxes of medical records. The retiring doctor was out at the time and the boxes were left in his driveway, unprotected. The doctor lived in an area of high traffic, and potentially those records could have been accessed, viewed or even stolen. Inside those 71 boxes were the medical files of approximately 8,000 patients
Christina Heide, Acting Deputy Director of Health Information Privacy at OCR, issued a statement following the issuing of the fine for violating the HIPAA Privacy Rule, confirming the responsibilities covered entities have to protect confidential patient health information.
Regardless of the form that the PHI is in, whether it is EHRs or paper files, covered entities are not permitted to leave that data “unattended and accessible to unauthorized persons.” The complaint against Parkview Health was upheld, and the healthcare provider was deemed to have not taken sufficient care to protect the confidentiality of its patients.
When the OCR discovers violations of HIPAA Privacy Rule, the financial penalty is only one aspect of a settlement. The covered entity must also adopt an action plan which is aimed at rapidly bringing their data security standards, policies and procedures up to date and fully compliant with HIPAA regulations. For Parkview this includes the provision of further training to all staff – required to handle PHI – on HIPAA Rules and regulations.
The latest settlement brings the total fines issued by the OCR for violations of the Privacy, Security and Breach Notification Rules to $23 million. These have been issued as a result of 23 investigations the OCR has conducted. Those incidents involved 42 million protected health records which have potentially been accessed, viewed or stolen by unauthorized third parties.