My partner Elizabeth Litten was quoted at length by Alexis Kateifides in his recent article in DataGuidance entitled “USA: ‘Unique’ HIPAA violation results in $800,000 settlement.” While the full text can be found in the June 26, 2014 article in DataGuidance.com, the following considerations are based upon points discussed in the article. (Elizabeth herself has written many entries on this blog related to the topic of large breaches of protected health information (“PHI”) under HIPAA.)
The article discusses the U.S. Department of Health and Human Services (“HHS”) press release on June 23, 2014 that it had reached a Resolution Agreement (the “Resolution Agreement”) with Parkview Health System, Inc. d/b/a Parkview Physicians Group, f/k/a Parkview Medical Group, a nonprofit Indiana health provider (“Parkview”). Pursuant to the Resolution Agreement, Parkview has agreed to pay $800,000 as a “Resolution Amount” and to enter a corrective action plan to address its HIPAA compliance issues.
There are several interesting aspects to the Parkview incident and Resolution Agreement, including those in Elizabeth’s comments quoted below. The Resolution Agreement recites that it relates to an incident that was reported in a complaint to HHS on June 10, 2009 by Dr. Christine Hamilton, a physician. Dr. Hamilton apparently asserted that Parkview failed to appropriately and reasonably safeguard the PHI of thousands of her patients in paper medical records that had been in the custody of Parkview from September, 2008 when Dr. Hamilton had retired. The Resolution Agreement alleged that
Parkview employees, with notice that Dr. Hamilton had refused delivery and was not at home, delivered and left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of Dr. Hamilton’s home, within 20 feet of the public road and a short distance away (four doors down) from a heavily trafficked public shopping venue.
Elizabeth pointed out in the DataGuidance article, “The fact that Parkview left such a large volume of medical records in an unsecured location suggests that Parkview acted with ‘willful neglect’ as defined by the HIPAA regulations.” Elizabeth went on to say in the article,
Although the resolution amount of $800,000 seems high given the fact that the records were, apparently, intended to be transferred from one covered entity to another, the circumstances suggest that Parkview was intentionally or recklessly indifferent to its obligation to secure the records. Second, the incident underscores the risks attendant to paper records. A majority of large breaches involve electronic records, but paper PHI is also vulnerable to breach and covered entities and business associates need to realize that large fines and penalties are also likely to be imposed for failure to secure PHI contained in paper form. . . . While the Resolution Agreement does not provide very much information as to the events leading up to the ‘driveway dumping’ event, its recitation of the facts raises the possibility that Parkview may not have had proper authorization to hold the records in the first place. . . . Parkview ‘received and took control’ of the records of 5,000 to 8,000 of the physician’s patients in September of 2008, because it was ‘assisting’ the physician with transitioning the patients to new providers and was ‘considering the possibility of purchasing’ the records from the physician, who was retiring and closing her practice. The ‘driveway dumping’ did not occur until June of 2009. It is not clear from the Resolution Agreement when the physician retired, whether Parkview ever treated the patients, and/or whether Parkview was otherwise appropriately authorized under HIPAA to receive, control and hold the records for this 10-month period.
In addition to the incisive analysis by Elizabeth in the DataGuidance article, there are a few other points worth making relative to the Resolution Agreement. First, the incident is not posted on the HHS “Wall of Shame” for large PHI breaches affecting 500 or more individuals because it occurred several months before the effective date in September 2009 for such posting. Second, it is noteworthy that it took almost five years after the incident for the Resolution Agreement to be signed between Parkview and HHS. Third, the Web site of Parkview appears to be notably void to this point in time of any reference to the Resolution Agreement or payment of the Resolution Amount.
Finally, the Resolution Agreement took great effort to make it clear that the $800,000 payment by Parkview was not a civil monetary penalty (“CMP”) but a “resolution amount”; in the Resolution Agreement, HHS reserved the right to impose a CMP if there was noncompliance by Parkview with the corrective action plan. The HHS Web site says the following about the relatively few cases of resolution agreements (only 21 reported to date):
A resolution agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes. When HHS has not been able to reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity. To date, HHS has entered into 21 resolution agreements and issued CMPs to one covered entity.