HIPAA Hunting Season Opens: OCR Bags $800k Settlement for Boxes Left in Physician’s Driveway

Jerome B. Meites, chief regional civil rights counsel of the U.S. Department of Health and Human Services (HHS) stated at an American Bar Association conference in Chicago on June 12, 2014 that he expects penalties during the next twelve months to set records, as the Office of Civil Rights plans to restart a round of HIPAA audits of healthcare providers, health plans and Business Associates such as healthcare information application developers, law firms and consultancies. OCR began its initiative by backing its words with money, posting a vacancy notice stating it was seeking to hire additional enforcement personnel. Shortly thereafter, on June 23, 2014, it underscored the surge in enforcement by issuing a press release concerning a settlement for $800,000 as a result of a somewhat unusual HIPAA violation.

Reminiscent of the plight of singer Arlo Guthrie, who could not find a place to dispose of the trash from Thanksgiving dinner at Alice’s Restaurant because the town dump was closed and so left the trash outside the dump, resulting in a criminal conviction that kept him out of the armed forces, Indiana-based Parkview Health Systems, Inc. settled a penalty proceeding for $800,000 for leaving boxes of medical records in a physician’s driveway when the physician was not at home to take delivery.  The OCR Resolution Agreement did not state that anyone had accessed the records or that any of the boxes, which contained medical charts of several thousand patients, had been opened. Nonetheless, the proceeding was settled for a substantial penalty. Parkview, as a result of the Resolution Agreement, will face additional expenses for implementing a Corrective Action Plan comprising of a revision of policies and procedures and workforce training, and compliance submissions to OCR.

Whether or not the punishment in this case truly fits the crime, healthcare organizations and Business Associates should take notice that OCR is fashioning itself as a privacy sheriff, and will be no doubt seek to send strong messages by imposing substantial penalties.  Wise advice to those who may find themselves in OCR’s audit or investigation crosshairs is to be prepared by assuring that HIPAA safeguards, workforce training and the HIPAA Security Risk Analysis are current and robust.

For more information on HIPAA compliance, and OCR audit and investigation proceedings, please contact Kenneth N. Rashbaum.