Home Health & Hospice Week

OCR sheds no light on how it calculated the whopping $800,000 penalty.

If you’re so caught up in securing all the protected health information on your computers, networks and mobile devices that you have started to ignore your paper records, you could be making a very costly mistake. As a recent HIPAA breach case demonstrates, the HHS Office for Civil Rights isn’t pulling any punches when it comes to paper records.

OCR lowered the boom on community-based healthcare system Parkview Health System Inc. (serving northeast Indiana and northwest Ohio) following a complaint filed back in June 2010. OCR launched an investigation after receiving the complaint, which was received from a retiring physician who alleged that Parkview violated the HIPAA Pri-vacy Rule.

Background: In 2008, Parkview took custody of medical records belonging to about 5,000 to 8,000 patients while helping the retiring physician to transition her patients to new providers, according to OCR. Parkview considered purchasing some of the physician’s practice as well.

On June 4, 2009, Parkview employees left 71 cardboard boxes of these medical records unattended in the retiring physician’s driveway when they discovered that she was not at home, OCR states. The medical records were “accessible to unauthorized persons” and “within 20 feet of the public road,” which was “a short distance away from a heavily trafficked public shopping venue.”

What OCR Demands In The CAP

In addition to the $800,000 fine, Parkview agreed to a corrective action plan (CAP), OCR says. According to attorney Linn Foster Freedman in analysis for law firm Nixon Peabody, the CAP requires Parkview to:

• Develop, maintain, and revise, as necessary, any written policies and procedures, including addressing non-electronic PHI, and provide them to HHS for approval;

• Distribute the approved policies and procedures to all workforce members who have access to PHI and to new employees within 20 days of starting work;

• Review policies and procedures periodically and promptly update them when operations or regulations change; and

• Develop workforce training and submit it to HHS for approval, and then train all employees, document the training through a dated certification from each employee who received training, and train new employees within 20 days of starting work.

Parkview must also notify HHS in writing within 30 days if Parkview determines that a workforce member has violated the policies and procedures, noted attorney Jefferson Lin in a blog post for Seattle-based Ogden Murphy Wallace Attorn-eys. And the settlement agreement requires Park-view to submit to HHS a final report demonstrating compliance with the CAP.

Don’t Ignore Your Security Practices For Paper Records

Sure, this settlement appears to provide the straightforward wisdom: provide proper HIPAA training to all employees and institute proper HIPAA policies and procedures. Or perhaps the simplest lesson is: don’t leave boxes of medical records unattended in someone’s driveway. But experts believe there’s more that you can learn from this case.

Caution: “The settlement is particularly notable because it relates to paper records, which is a departure from OCR’s recent focus on electronic PHI,” pointed out health law attorney Leah Roff-man in a blog post for law firm Cooley. And OCR has highlighted that too many complaints stem from improperly discarded or transferred records.

“Organizations should pay careful attention to the transfer and disposal of both electronic and paper patient records,” Lin stressed. And OCR has posted some helpful FAQs regarding HIPAA and the proper disposal of PHI and patient records at www. hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.

The document answers six questions regarding “What do the HIPAA Privacy and Security Rules require of covered entities (CEs) when they dispose of PHI?”:

1. May a CE dispose of PHI in dumpsters accessible by the public?

2. May a CE hire a business associate (BA) to dispose of PHI?

3. May a CE reuse or dispose of computers or other electronic media that store electronic PHI?

4. How should home health workers or other workforce members of a CE dispose of PHI that they use off of the CE’s premises?

5. Does the HIPAA Privacy Rule require CEs to keep patients’ medical records for any period of time?

Beware Of Arbitrary Settlement Amounts

Another interesting aspect of this particular settlement is the seemingly large penalty — inching dangerously close to the $1-million mark. Experts are puzzled at the large settlement amount particularly because the case involved no actual improper access to the PHI.

Watch out: “Although there is no mention that an unauthorized person actually had access to or took any records from the boxes in the driveway, Parkview agreed to pay $800,000 for the violation,” Freedman noted. “There is no guidance on what the settlement amount is based upon or how it was calculated under the HIPAA regulations.”

Bottom line: As more and more breach cases come to light, pay attention to not only the trends in the terms of CAPs, but also the monetary settlement amounts. And experts hope OCR will become more transparent in how it calculates these penalties.