Document Drop Off: Where One Health System Left Private Patient Medical Records

Monday, June 30, 2014
By Lenis L. Archer, J.D., M.P.H.

A drop off of private patient files to a physician quickly turned into what may be one of the most expensive deliveries in healthcare regulatory history. In 2009, employees of Parkview Health System, a nonprofit organization with hospitals in Indiana and northwest Ohio, left 71 cardboard boxes of private patient medical records in the driveway of a retiring physician.

Within 20 feet of the public road and in close proximity to a heavily trafficked shopping venue, the medical records were left unattended and easily accessible to any unauthorized persons. According to the Fort Wayne, Indiana News-Sentinel, as a result of potentially violating the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA), Parkview Health System reached an $800,000 settlement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Additionally, Parkview will be required to adopt a corrective action plan to fix deficiencies within its HIPAA compliance program. The corrective plan will include employee training and privacy programs, policy and procedure revisions, and implementation reports to the OCR.

Click here
to read the full story from the Fort Wayne, Indiana News-Sentinel.

Why Did Parkview Health System Have These Files in the First Place?

The Indiana News-Sentinel reported that Parkview originally gained custody of approximately 5,000 to 8,000 patient records while assisting a retiring physician in the transition of her patients to new doctors. The hospital seemed interested in purchasing a portion of the physician's practice. The alleged HIPAA violation was reported by the retiring physician in a complaint to the OCR after she returned home to find the confidential records stacked unprotected in her driveway.

In a statement issued by Parkview, it referred to the alleged violation as an "isolated incident." Nonetheless, covered entities under the HIPAA Privacy Rule, such as Parkview, must always appropriately and reasonably safeguard all protected health information (PHI) in its possession from the moment of acquiring it to the point of disposal.

Parkview Health System Isn't the Only Major Perpetrator in HIPAA Violations.

Another major patient privacy breach was uncovered over the 2014 Memorial Day weekend in the Manchester Township of New Jersey. According to The York Daily Report, a gentleman throwing away personal items at a public incinerator discovered bundles of private medical records overflowing from a Dumpster. After turning in about 47 of the files to authorities, it was discovered the records were from a local doctor's office. The records contained patient health charts, social security numbers and insurance information. Attempts to locate the doctor or the practice have been unsuccessful so this investigation remains open. To read more on this mysterious case, click here.

Reports of HIPAA Violations are Becoming More Common.

According to Modern Healthcare, the Parkview Health Systems alleged HIPAA violation was the fifth monetary settlement so far in 2014. The OCR is cracking down on HIPAA violations. Nearly all complaints of potential patient privacy violations are investigated. That's not a part-time job considering the breadth of HIPAA violation complaints received daily. More than 1,000 major breaches have been reported to the OCR in June 2014 alone. These reports are estimated to include the PHI of 31.7 million individuals, with approximately 1 in 10 Americans potentially having their medical records exposed. To read more from Modern Healthcare on the Parkview Health System case, click here.

So, How Do You Properly Dispose of Records?

According to HHS, physicians and healthcare providers may not arbitrarily discard protected patient medical material. It is also against the law to "dispose of it in Dumpsters or other containers that are accessible by the public or other unauthorized persons." In both of the cases mentioned above, these guidelines were violated. The only time records may be dumped or stored in such receptacles is if the size of the files requires they be put in locked compartments or Dumpsters accessible only by authorized personnel. To read more on the HHS regulations for properly disposing confidential medical records, click here.

Public disposal locations are always frowned upon when properly discarding records containing sensitive information. Most waste authorities across the nation have programs with local healthcare providers. This relationship permits a representative from the healthcare office to either destroy the files in the waste incinerator or to watch someone do it personally and then receives a signed certificate acknowledging the destruction.

Never, under any circumstances, leave undestroyed patient files accessible to the general public.

By Implementing Safeguards, You Can Save Yourself and Practice From a Violation.

As a healthcare physician, you know that it is fundamental to protect the privacy of your patients' medical records and personal information. Safeguarding these files protects you and your practice from civil and criminal penalties. The OCR is placing HIPAA covered entities under the microscope in order to enforce continued patient privacy protection.

OCR investigations of potential HIPAA violations are conducted as audits. These investigations are usually started due to disgruntled employees, patient complaints, loss of records, security breaches, and improper disclosures. A HIPAA risk assessment, required by law, can prevent these types of "mistakes" and protect you from future HIPAA violation investigations. This prevention assessment is a federal requirement for all HIPAA covered entities.

These assessments are a chance to identify areas of improvement and offer a correction before an auditor finds the issue. For example, your privacy forms and procedures should be reviewed every six months. HIPAA laws are notorious for changing often so it can be easy to find yourself not up to date with regulations. Simply performing a risk assessment can protect you from potential monetary fines and criminal liability associated with a HIPAA violation. Do not overlook this mandatory preventive step. To read more on avoiding HIPAA violations, click here for a past blog.

Should you find yourself defending yourself or practice in a potential HIPAA violation, it's good to know what steps to take. On our website there is a two-part blog series to clarify the remedies for a HIPAA violation. Click here for part one. Click here for part two.


How do you properly dispose of private patient information? When is the last time you had a HIPAA risk assessment? Please leave any thoughtful comments below.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at or call (407) 331-6620 or (850) 439-1001.


Hanlon, Rebecca and Czech, Ted. "Private Medical Records Found at Public Dumpster in Manchester Twp." The York Daily Report. (June 18, 2014). From:

Conn, Joseph. "Dropped Off Boxes Cost Parkview an $800,000 HIPAA Settlement."Modern Healthcare. (June 23, 2014). From:

Bogue, Ellie. "Parkview Health Settles Patient Records Violation Lawsuit." News-Sentinel. (June 24, 2014). From:

About the Author:
Lenis L. Archer is as attorney with The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. The Health Law Firm, 1101 Douglas Avenue, Altamonte Springs, Florida 32714, Phone: (407) 331-6620.

George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.

Tag Words: Health Insurance Portability and Accountability Act (HIPAA), HIPAA compliance lawyer, HIPAA compliance date, changes to HIPAA, data security, protected health information (PHI), Patient privacy, U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), patient rights, HIPAA risk assessment, corrective action plans (CAP), settlement attorney, security breach, data breach, HIPAA compliance audit, HIPAA compliance, privacy, defense attorney, defense lawyer, HIPAA attorney, HIPAA lawyer, compliance plans, The Health Law Firm

"The Health Law Firm" is a registered fictitious business name of George F. Indest III, P.A. - The Health Law Firm, a Florida professional service corporation, since 1999.
Copyright © 1996-2012 The Health Law Firm. All rights reserved.


Like this blog? Add your public comments:

Items in bold indicate required information.