In September 2008, employees of Parkview Health System Inc. returned some files to a retiring physician. Allegedly, Parkview Health System initially took custody of these documents in order to facilitate these patients’ transfer to new providers. The employees brought these boxes of documentation to her residence and, after realizing she was not home, left the boxes on the driveway. This was an innocent mistake on the part of these employees; this ignorance of the Health Insurance of Portability and Accountability Act of 1996 (otherwise known as HIPAA) laws and careless handling of protected health information (PHI) led to a notable violation of HIPAA regulations. This incident resulted in Parkview Health System, Inc. having to pay a sizable “Resolution Amount”.
As a covered entity under the HIPAA Privacy Rule, Parkview must appropriately and reasonably safeguard all protected health information in its possession, from the time it is acquired through its disposition.
While proper handling of documents is always paramount, dealing with health records and mishandling of documentation and/or digital information is extremely important in the medical industry and is considered a federal crime. Ultimately, Parkview Health System, Inc. was subject to a settlement of $800,000 and was forced to take corrective action to maintain immediate compliance. This amount may seem high, especially considering that the records were moving from one covered entity to another, but the negligence of leaving the records so close to a publicly trafficked area showed what many considered a willfully indifferent attitude by Parkview Health System, as pertaining to their obligations.
Further complicating the issue, some have brought up the possibility that Parkview Health System didn’t even have proper authorization to take custody of the records in the first place. It is unclear whether Parkview ever treated these patients at all and if they were authorized under HIPAA to take the documents.
Parkview Health System has remained publicly silent for the most part, somewhat predictably, making no mention of the incident or resolution on their website or published information. The signed agreement stated in no uncertain terms that the payment was not a fine (civil monetary penalty), but rather a ‘resolution amount,’ and reserved the right to apply a Civil Money Penalty (CMP) if agreed-upon corrective action was not taken.
About the difference, the Health and Human Services (HHS) says:
A resolution agreement is a contract signed by HHS and a covered entity in which the covered entity agrees to perform certain obligations (e.g., staff training) and make reports to HHS, generally for a period of three years. During the period, HHS monitors the covered entity’s compliance with its obligations. A resolution agreement likely would include the payment of a resolution amount. These agreements are reserved to settle investigations with more serious outcomes. When HHS has not been able to reach a satisfactory resolution through the covered entity’s demonstrated compliance or corrective action through other informal means, civil money penalties (CMPs) may be imposed for noncompliance against a covered entity. To date, HHS has entered into 21 resolution agreements and issued CMPs to one covered entity.
Some other noteworthy points in reference to their Resolution Agreement include:
– This incident was not posted on the HHS.gov website ‘Breaches Affecting 500 or More Individuals’ used for large PHI breaches
– Took almost five (5) years after this incident for the agreement to be signed between both parties
– Parkview Health System website has no information posted with regards to this incident or payment of the Resolution Agreement thereafter