Doctors with health logo

Editor: Today's guest blog post is from Kelli Tarala.

The Department of Health and Human Service (HHS) Office for Civil Rights (OCR), recently fined Parkview Health System $800,000 for HIPAA privacy violations involving leaving seventeen boxes of non-electronic health records unsupervised at the end of physician’s driveway. As a result of the settlement, the health system must adopt a corrective action plan which includes staff training and an implementation report on that training to OCR. Let’s take a closer look at this case by reading the HHS Resolution Report.

“On June 4, 2009, Parkview failed to appropriately and reasonably safeguard the PHI, when Parkview employees, with notice that Dr. Hamilton had refused delivery and was not at home, delivered and left 17 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of Dr. Hamilton’s home, within 20 feet of the public road and a short distance away (four doors down) from a heavily trafficked public shopping venue."

What went wrong? Parkview is a covered entity and is required by Federal Regulations (45 C.F.R.) to keep safe that protected health information.  In regulation-speak, Parkview was responsible to appropriately and reasonably safeguard  that PHI until it was transferred with permission in accordance with C.F.R  45 or until the PHI was rendered unreadable, unusable or indecipherable to unauthorized people. By leaving the boxes of medical records unattended in the driveway, the PHI was not protected.

Lessons Learned: End-user security awareness training pays for itself, in light of avoiding a $800,000 fine. By teaching staff members, volunteers, and even third party vendors about the importance of safeguarding PHI, we start to reinforce, a frame of mind, a daily practice. This creates a culture of teaching employees not just about memorizing rules and procedures, but a culture where defending and safeguarding protected health information is enshrined as part of your organization’s culture.  One great tool for creating and reinforcing a culture of protecting patients and their data is the SANS STH HealthCare solution. This comprehensive awareness training library is written to befriend and persuasive employees at all levels of the organization to safeguard confidential  information.

Bio: Kelli Tarala is a principal consultant and co-owner of Enclave Security. Her career began in 1994 as a system administrator and technical editor at a pharmaceutical research organization. As a security architect and project manager, she specializes in IT audit, governance, and information assurance strategies. She is a SANS Institute courseware co-author for MAN 415 A Practical Introduction to Risk Management Class and SEC566 Implementing and Auditing the Critical Security Controls - In-Depth. In her spare time, she contributes to Council on CyberSecurity Critical Security Controls project and enjoys running and kayaking.