Parkview Health System, operating in Indiana and Ohio, has agreed to pay $800,000 to settle potential HIPAA violations after receiving a complaint from a retired physician alleging that Parkview had violated the HIPAA Privacy Rule. In September 2008, Parkview took custody of medical records for several thousand of the physician’s patients. On June 4, 2009, Parkview employees, with notice that the physician was not home, left 71 cardboard boxes containing these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home.
How could this situation have been avoided?
When the health system took possession of the medical records, it had an obligation to protect the confidentiality of those records. For this reason, patient information should not be left unattended. If an unauthorized person views or obtains patient information, it is a violation of the patient’s privacy and needs to be reported to the Corporate Privacy and Security department.