HIPAA covered entities that may have focused their efforts and budget on electronic health records should pay proper attention to the protection of paper health records if they want to avoid an HHS investigation and an $800,000 fine.
An HHS action against Parkview Health System, Inc.,a non-profit Indiana corporation, clearly states that paper health records, while they may not be subject to the HIPAA Security Rule, are subject to other HIPAA regulations, and must be protected with appropriate security measures.
A physician had provided the paper records of more than 5,000 patients to Parkview, in connection with the transition of her practice as part of her retirement. Parkview employees were tasked with delivering boxes of health records. Even though they had been made aware that the intended recipient was not present to accept delivery, they left 71 boxes of patient health records on the physician’s driveway, unattended, accessible for anyone to take. The physician reported Parkview’s conduct to the HHS Office of Civil Rights (OCR), which investigated the incident.
The OCR found that Parkview had failed to comply with Section 45 CFR 164.530(c) of the HIPAA Privacy Rule, which requires covered entities to have in place appropriate technical, physical and administrative measures to safeguard protected health information. The Resolution Agreement requires Parkview to
- Pay a $800,000 fine;
- Develop, maintain, and revise, as necessary, written policies and procedures to protect its paper health records;
- Submit the policies to HHS OCR for its approval;
- Train its personnel who have access to PHI;
- Provide an implementation report to the HHS OCR;
- Keep records of all activities conducted in implementing the Resolution Agreement for six years.
Effect of 45 CFR §164.530(c)
The OCR based most of its action against Parkview on violations of Section 164.530(c) of the HIPAA Privacy Rule. In the Parkview case, the records abandoned on a driveway were paper records. Thus, they were not within the scope of the HIPAA Security Rule, which covers only “electronic protected health information” or ePHI.
Section 45 CFR 164.530(c) of the HIPAA Privacy Rule, however, contains a broad security requirement that protects all health records. It provides in part:
(c)(1) Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
The Resolution Agreement does not provide any detail of what OCR would deem to be appropriate physical, technical, or administrative measures to protect paper PHI.
What should you do?
If, like most healthcare organization, your company creates or handles paper records containing PHI, you should ensure that these paper records are adequately protected. Consider the following checklist:
- Determine the extent to which your policies and procedures adequately address the protection of paper PHI records.
- Determine the extent to which your contracts with your business associates and other service providers (and their respective business associates and service providers) adequately address the protection of paper PHI records.
- Determine the extent to which the policies and procedures of your business associates and service providers (and their respective business associates and service providers) adequately address the protection of paper PHI records.
- Develop, maintain, and revise, as necessary, your written policies and procedures to adequately address the protection of your paper PHI records after having conducted a necessary risk assessment.
- If you do not know what measures to take to protect these paper records, look at the HIPAA Security Rule. Most of its provisions would apply to the paper world. It is likely that it will serve as a reference.
- Train your workforce on the adequate protection of paper records, their responsibilities in the collection, use, storage, disposal and transmittal of paper PHI records.
- Keep appropriate records of the activities conducting in the development and implementations of the security program described above, and of the training provided to your personnel.