Parkview Health System, Inc. agreed to settle potential Privacy Rule with the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Parkview will pay $800,000 and adopt a corrective action plan to address deficiencies in its HIPAA compliance program. OCR opened an investigation after receiving a complaint from a retiring physician alleging that Parkview had violated the HIPAA Privacy Rule. In September 2008, Parkview took custody of medical records pertaining to approximately 5,000 to 8,000 patients while assisting the retiring physician to transition her patients to new providers, and while considering the possibility of purchasing some of the physician’s practice. On June 4, 2009, Parkview employees, with notice that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.
Notably, this settlement
highlights the significance of conducting routine risk and vulnerability
assessments, having adequate written policies in place, and conducting
workforce training on HIPAA
privacy and security policies. It is imperative that all covered entities and
business associates proactively review the mandatory requirements under HIPAA and carefully evaluate and
monitor to compliance. To ensure you are compliant, you and business associates
should update security policies and procedures and provide ongoing HIPAA
compliance training. SiddelLaw can assist you in implementing protections as well as conduct an
in-depth risk assessment. If you have any questions or require assistance developing
and implementing a compliance plan for your entity or conducting a risk
assessment, please contact an experienced healthcare attorney at 831-718-9340.
No comments:
Post a Comment