A 2009 incident involving the dumping of 71 boxes of medical records will cost an Indiana-based health system, Parkview Health System, Inc. (“Parkview”), $800,000 for alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”). HIPAA requires health care providers and other health care entities, called “Covered Entities,” to safeguard individuals’ protected health information (“PHI”). In a press release issued June 23, 2014, the Department of Health and Human Services (“HHS”) announced the resolution agreement as well as a corrective action plan entered into with Parkview to settle the allegations.

The incident giving rise to the settlement centered on Parkview’s receipt and custody of medical records containing PHI. According to the resolution agreement, in 2008, Parkview took control of approximately 5,000 to 8,000 patient records of a physician, Dr. Christine Hamilton, who was retiring and seeking to transition her patients to new providers. On June 4, 2009, Parkview employees left 71 boxes of medical records in Dr. Hamilton’s driveway when she was not home. The records were left “within 20 feet of the public road and a short distance away (four doors down) from a heavily trafficked public shopping venue.” HHS began its investigation of the incident after Dr. Hamilton filed a complaint alleging that Parkview had violated the HIPAA Privacy Rule.

Although not admitting any fault in the settlement, Parkview was required to enter into a corrective action plan with HHS, which provides for HHS monitoring of Parkview, the updating or developing of new policies and procedures by Parkview to address the safeguarding of PHI in non-electronic form, and the retraining of Parkview employees.

The problem of dumping paper medical records persists; last week, Pennsylvania’s York Daily Record reported that a pile of medical records was found in a public dumpster. The matter has since been referred to Pennsylvania’s Department of State.

These cases highlight the fact that HIPAA protects PHI in any form, even paper records. Covered Entities must be sure to implement policies and procedures to safeguard all PHI, not just PHI in electronic form. The obligation to safeguard PHI is not lessened by the fact that the records in question are being transferred or disposed of, as was the case in the Parkview settlement. Christine Heide, deputy director of health information privacy at the HHS Office of Civil Rights, stated that it is “imperative” that Covered Entities protect patient information during transfer and disposal.

To read the HHS press release, click here.  To read the Parkview resolution agreement and corrective action plan, click here.

To read the York Daily Record’s report on the discovery of recent medical record dumping, click here.