Security breaches affecting electronic records have taken such a preeminent place on the first page of our daily news reports that it might be easy to forget that paper records may contain information that is just as sensitive and deserves just as much attention. An HHS action against Parkview Health System, Inc., a non-profit Indiana corporation, reminds entities operating in the healthcare market that paper health records are within the scope of HIPAA, and must be protected with appropriate security measures.
HIPAA covered entities that may have focused their efforts and budget on electronic health records should pay proper attention to the protection of paper health records if they want to avoid an HHS investigation and an $800,000 fine.
Factual Background
The Parkview enforcement action arose after Parkview employees abandoned boxes of patient health records on a driveway, accessible for anyone to take. A physician had provided the paper records of more than 5,000 patients to Parkview, in connection with the transition of her practice as part of her retirement. Parkview was assisting the physician in transitioning the patients to other providers, and was considering the possibility of accepting some of these patients.
In connection with these transactions, Parkview employees were tasked with delivering boxes of health records. Even though they had been made aware that the intended recipient was not present to accept delivery, the Parkview employees left 71 boxes of patient health records on the physician’s driveway, unattended, accessible for anyone to take. The physician reported Parkview’s conduct to the HHS Office of Civil Rights (OCR), which investigated the incident.
Settlement
The OCR found that Parkview had failed to comply with Section 45 CFR 164.530(c) of the HIPAA Privacy Rule, which requires covered entities to use appropriate technical, physical and administrative measures to safeguard protected health information. The Resolution Agreement between OCR and Parkview requires the company to pay a $800,000 fine, and develop, maintain, and revise, as necessary, written policies and procedures (“Policies and Procedures”) to protect its paper health records. These Policies and Procedures must be followed by its workforce and that of all covered entities that are owned, controlled, or managed by Parkview Health System, Inc. These Policies and Procedures must be consistent with the HIPAA Privacy Rule, and must be submitted to HHS OCR for its approval.
The Resolution Agreement also requires Parkview to train its personnel who have access to PHI in the proper handling of paper PHI, provide an implementation report to the HHS OCR, and keep, for six years, records of all activities conducted in implementing the Resolution Agreement.
Effect of 45 CFR §164.530(c)
The OCR based most of its action against Parkview on violations of Section 164.530(c) of the HIPAA Privacy Rule. The important nuance in the Parkview case is that the records left on the physician’s driveway were paper records. Thus, they were not within the scope of the HIPAA Security Rule, which covers only “electronic protected health information” or ePHI.
Section 45 CFR 164.530(c) of the HIPAA Privacy Rule, however, contains a broader security requirement that protects all health records. This provision was written in the early days of HIPAA rulemaking, before the HIPAA Security Rule was first published. Section 45 CFR §164.530(c) provides in its entirety:
(c)(1) Standard: Safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
(2)(i) Implementation specification: Safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
(ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure.
Section 164.530(c) of the HIPAA Privacy Rule has been significantly overlooked since the adoption of the HIPAA Security Rule. Many covered entities have focused on the stringent provisions of the HIPAA Security Rule, which address the protection of ePHI, and may have neglected their obligations concerning the protection of paper PHI records.
In the Parkview case, the OCR relied on Section 164.530(c) of the HIPAA Privacy Rule to create an obligation to implement security measures for the protection of paper PHI records since they are outside the scope of the HIPAA Security Rule. The Resolution Agreement does not provide any detail of what OCR would deem to be appropriate physical, technical, or administrative measures to protect paper PHI.
What should health organizations and other HIPAA covered entities do?
If, like most healthcare organization, your company creates or handles paper records containing PHI, you should ensure that these paper records are adequately protected. Consider the following checklist:
- Determine the extent to which your policies and procedures adequately address the protection of paper PHI records.
- Determine the extent to which your contracts with your business associates and other service providers (and their respective business associates and service providers) adequately address the protection of paper PHI records.
- Determine the extent to which the policies and procedures of your business associates and service providers (and their respective business associates and service providers) adequately address the protection of paper PHI records.
- Develop, maintain, and revise, as necessary, your written policies and procedures to adequately address the protection of your paper PHI records after having conducted a necessary risk assessment.
- If you do not know what measures to take to protect these paper records, look at the HIPAA Security Rule. Most of its provisions would apply to the paper world. It is likely that it will serve as a reference.
- Train your workforce on the adequate protection of paper records, their responsibilities in the collection, use, storage, disposal and transmittal of paper PHI records.
- Keep appropriate records of the activities conducting in the development and implementations of the security program described above, and of the training provided to your personnel.