Stacking Boxes of Paper Charts in Doctors Driveway=$800,000 fine per AHDI due to HIPAA breach. As myriad healthcare organizations have attested, the aftermath of a HIPAA violation generally isnt a pretty sight, especially when it comes to ones bank account. One Indiana-based health system has witnessed this reality after being slapped with an $800,000 settlement for violating the HIPAA Privacy Rule. The six-hospital Parkview Health System in Fort Wayne, Ind., will pay $800,000 to the Office for Civil Rights, the HHS division responsible for enforcing HIPAA, in a settlement that stemmed from a 2009 complaint filed with OCR from a then retiring Parkview Health physician. [See also: 6 biggest HIPAA breach fines and Groups hit with record $4.8M HIPAA fine.] The complaint alleged that Parkview Health, which assumed responsibility of between 5,000 and 8,000 paper medical records of the physicians patients, unloaded 71 boxes containing these records in the doctors driveway while she was away. According to the complaint, the medical records were unattended and accessible to unauthorized persons on the physicians driveway, located in a heavily trafficked area. All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk, said Christina Heide, acting deputy director of health information privacy at OCR, in a June 23 press statement announcing the settlement. It is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal. As part of the settlement, OCR is requiring that Parkview Health develop, implement and distribute policies and procedures surrounding how employees are required by law to protect patients health information. Moreover, Parkview Health must also provide all employees who handle protected health information with additional training on safeguarding patient data. [See also: HIPAA data breaches climb 138 percent.] OCR set records this May after announcing its largest monetary settlement to date. New York-Presbyterian Hospital and Columbia University Medical Center together agreed to hand over a whopping $4.8 million to settle alleged HIPAA violations after the electronic protected health information of 6,800 patients wound up on Google back in 2010. To date, OCR has levied nearly $26 million in monetary settlements against 23 HIPAA-covered entities found to have violated privacy, security and breach notification rules. More than 42 million people have had their protected health information compromised in these breaches. Ultimately, seeing as the OCR has received some 100,000 HIPAA complaints since 2003, enforcement proves a very small percentage of the work that we do, commented Iliana Peters, OCRs senior advisor for HIPAA compliance and enforcement, speaking at the HIMSS Media/Healthcare IT News Privacy and Security Forum last week. However, thats no green light to continue shirking ones privacy and security obligations. Its a very important part of the work that we do, she added. Peters, who discussed the go-live date of the Phase 2 HIPAA audits slated for end-of-year, also touched upon the idea of creating a culture of compliance. In addressing the attentively-listening forum attendees -- comprised chiefly of information security, privacy and compliance officers -- she said the difficult piece pertains to convincing up the chain, the people who dont necessarily deal with the data every day, she said. If that message comes from the top and is heard at every level on the way down, then that is in our experience a really compliant organization. [See also: Stanford reports fifth big HIPAA breach.] Gerry Hinkley, partner at Pillsbury Winthrop Shaw Pittmans healthcare practice and chair of the HIMSS Legal Task Force, who also spoke at the forum, had a client who experienced a similar incident to that of Parkview Health. This breach involved records from a hospital emergency department that should have been shredded ending up in a dumpster in front of the hospital. It was a windy day. Security forgot to put a lid on the dumpster. The records are down the street, Hinkley recounted. Ultimately, school children nearby ended up collecting the records and returned them to the hospital. The security guard said, not my job, said Hinkley. How could someone seeing papers (flying about) not think, Gee, is that something I should think about? The incident could well serve as the poster child for inadequate employee training, added Hinkley. The key is to have it be owned by everybody from the first person the patient sees to the last one they see and everybody that touches their data in between. Topics: Financial/Revenue Cycle Management, Privacy and Security, Workforce Management, Department of Health & Human Services (HHS), Healthcare Information and Management Systems Society (HIMSS).
Posted on: Tue, 24 Jun 2014 17:41:21 +0000
Trending Topics
Recently Viewed Topics
© 2015