Tag Archives: PHI

Dumpster Diving Leads to $100,000 Fine for Defunct Business Associate Due to Improper Disposal of Medical Records

By Conor Duffy on Posted in HIPAA, Hospitals and Health Systems, Privacy and Security

On February 13, 2018, the HHS Office for Civil Rights (OCR) announced a $100,000 settlement with a court-appointed receiver representing Filefax, Inc. (Filefax) arising from the 2015 discovery of medical records that contained protected health information (PHI) of over two thousand individuals in a dumpster. Filefax, a now-defunct medical records moving and storage company located in Illinois, acted as a business associate under HIPAA.

OCR initiated an investigation in February, 2015, after receiving an anonymous complaint concerning medical records that had been discovered and delivered to a facility for shredding …

Recent OCR Settlements

By Pamela Del Negro and Linn Foster Freedman on Posted in Privacy and Security

The Office for Civil Rights (OCR) recently announced settlements with healthcare-related entities, including:

  • The OCR entered into a settlement with The Center for Children’s Digestive Health (CCDH) for $31,000.  CCDH is a small for-profit health care provider with seven locations in Illinois. The settlement arose out of an OCR compliance review initiated in August 2015 after an investigation of a CCDH business associate that stored inactive paper medical records for CCDH.  While CCDH had been disclosing PHI to the vendor since 2003, neither party could produce a business associate agreement

Vanderbilt University Medical Center PHI Breached by Patient Transporters

By Linn Foster Freedman on Posted in Privacy and Security

Vanderbilt University Medical Center (VUMC) has announced that it will be sending breach notification letters to over 3,000 patients as a result of unauthorized access to PHI by two patient transporters.

According to the announcement, VUMC audited its medical records (as it is required to do by  HIPAA), and found that two individuals who worked as patient transporters accessed 3,247 patient records between May of 2015 and December of 2016 and were unauthorized to do so. The information accessed included data from adults and minors, including names, dates of birth, …

21st Century Cures Act – Implications for Investigators and Research Sites

By Melissa (Lisa) Thompson on Posted in Clinical Research, Medical Devices, Pharmaceuticals and Biologics, Privacy and Security

Below is a summary of some of the key provisions relevant to investigators and research sites included in the recently enacted, bipartisan 21st Century Cures Act, including human subjects protections and the privacy and security of health information used in clinical research.  Among other requirements, the Act:

*requires the Department of Health and Human Services (HHS) to harmonize the U.S. Food and Drug Administration (FDA) Human Subjects Regulations with the HHS Human Subject Regulations (the Common Rule), which should help streamline research that falls under both sets of regulations;…

LexBlog