As a result, Parkview has agreed to pay $800,000 to settle potential violations of the privacy rule of the Health Insurance Portability and Accountability Act, and will adopt a “corrective action plan to address deficiencies in its HIPAA compliance program,” the statement said.
The civil rights office began its investigation following a complaint from a retiring physician. In September 2008, Fort Wayne, Ind.-based Parkview obtained the medical records of between 5,000 and 8,000 patients of a retiring physician as the hospital system looked to buy a portion of the physician's practice and transition patients to other providers. The records were dropped off on June 9, 2009, by Parkview employees “with notice that the physician was not at home.”
“All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk,” Christina Heide, the agency's acting deputy director of health information privacy, said in the news release. “It is imperative that HIPAA-covered entities and their business associates protect patient information during its transfer and disposal.”
It was the 21st monetary settlement agreement reached between the OCR and healthcare provider organizations, drugstore chains and health plans over HIPAA violations since 2008. Coupled with one imposition of a monetary penalty, these enforcement activities have yielded payments exceeding $25.9 million.
It also was the fifth monetary settlement so far in 2014, tying the maximum number of settlements reached by the OCR in a single year, providing evidence supporting a former ONC official's recent prediction that enforcement will ramp up this year.
The number of major breaches reported to the OCR this month passed the 1,000 mark, with the records of 31.7 million individuals, a number equal to 1 in 10 people in the U.S., having had their medical records exposed, according to the agency's “wall of shame” website.
Follow Joseph Conn on Twitter: @MHJConn