According to an article published in the Kokomo (Indiana) Tribune, a former Kokomo dentist, Joseph Beck, “agreed to pay the state $12,000 for disposing of patient files in an Indianapolis dumpster, the Attorney General’s Office (recently) reported. The Attorney General’s Office sued Beck for failing to protect personal information and for improperly disposing of records containing personal information of Indiana residents, which violates state privacy laws as well as the federal Health Insurance Portability and Accountability Act (HIPAA).”
What is significant is, “This is the first time Indiana has sued for a violation of HIPAA.” The article went on to say, “More than 60 boxes of patient records from Beck’s former Comfort Dental clinic in Kokomo were found discarded in an Indianapolis dumpster in March of 2013. The files contained records from 2002-2007.” Not only are the Feds involved with compliance oversight, but now the states have an active interest, especially when civil monetary penalties can be imposed. States may view this as a way to step up their game when it comes to conducting audits, investigations and prosecutions for HIPAA compliance. With more and more data breaches occurring, it makes perfect sense for this course of action.
The Office for Civil Rights (OCR), which enforces Federal regulations and compliance for HIPAA, has been conducting training for State Attorneys General (AGs). OCR developed HIPAA enforcement training to state AGs and their staff on how to use this authority to enforce the HIPAA Privacy and Security Rules. The training course provides assistance on how to investigate HIPAA violations. But more importantly, the training shows AGs how to seek civil damages for HIPAA violations that affect residents of their respective states.
With this recent case in Indiana, the dentist “hired a private company, Just the Connection, Inc. to retrieve and dispose of his patient records, which included names, medical records, phone numbers, birth dates, Social Security numbers, insurance cards, insurance information and state ID numbers.” It is unclear if Beck had a Business Associate Agreement (BAA) in place with the private company to properly dispose of the records. The BAA would have been required in this case.
As a covered entity, this story reinforces the need not only to have a BAA in place with any vendor who is accessing your protected health information, but also make sure your own HIPAA policies and procedures cover proper record disposal. Any BAA must require that a business implement the proper safeguards to prevent unauthorized use or disclosure of protected health information (PHI) not only for electronic records, but also for any paper records or charts. This is especially critical for the document destruction process for PHI.
Although smaller state civil settlements are not on par with the millions OCR seeks during a resolution agreement, it does allow the states to become more engaged in investigating these types of breaches. Just more one reason to be HIPAA compliant.