Indiana Attorney General Announces $12,000 HIPAA Penalty for Discarded PHI

The Indiana Attorney General’s Office has announced its first penalty for Health Insurance Portability and Accountability Act violations pursuant to part 13410(e) of the HITECH Act.

The penalty of $12,000 was imposed on ex Kokomo dentist, Joseph Beck, for unlawfully throwing out of the Protected Health Information (PHI) of his patients. 63 boxes of private records comprising an approximated 7,000 files were found in an Olive Branch Christian Church reprocessing dumpster during March 2013.

Beck had employed a data business known as Just the Connection Inc., to securely abolish the paper files of his ex-patients; but the records were detected during an inquiry by Eyewitness News during March 2013 and are thought to have been in the dumpster for about a week.

The investigating team saw the files to find out their contents and found out that names, addresses, medical diagnoses, phone numbers, dental information, x-rays, Social Security as well as credit card numbers were all included in the records. The patients affected had earlier went to the Comfort Dental offices in Marion or Kokomo between 2002 and 2007. The records were given to the Attorney General’s office which returned queries from affected patients; even though no cases of identity thievery have been registered.

Although the healthcare industry seems to be concentrated on safeguarding electronic health files of patients, Greg Zoeller, Indiana Attorney General, repeated healthcare suppliers that HIPAA also protects hard copies of medical records and that they should also be correctly safeguarded.

In a press announcement, he said, “In a time when online data breaks are top of mind, we might overlook that hard-copy paper records, particularly in a medical situation, can have highly confidential information that’s ready for identity thievery or other wrongdoings.”

Indiana’s Revelation of Safety Breach Act just covers electronic health files, even though legislation has been suggested to expand the rule to include all paper medical files and raise the penalties which can be applied to organizations and individuals that don’t to take the proper measures to safeguard patient health data. The fresh regulation also pertains to data collectors; not only the organization or individual which has the data.

Beck discontinued performing dentistry in 2011 when the Indiana Board of Dentistry revoked his license forever after the Attorney General’s office found out proof of fraudulent billing and negligence. The latest act might have been more stern; the fine imposed was significantly lower than it might have been had the new rule been applicable during the case as well as Just the Connection Inc., would also have been held responsible for the data break.

The Attorney General is transmitting a message to all doctors as well as healthcare suppliers that it will not allow willful security and privacy breaks and will be taking a case against organizations and individuals who breach the laws. Zoeller informed Indiana’s WTHR News, “It is really the duty of any professional or physician to protect the files they maintain”.

Despite having the authority to do this, just 3 Offices of Attorney Generals – VermontConnecticut & Massachusetts – have been imposed fines for HIPAA breaches up to now, and this is for the 1st time an AG’s Agency out of New England has used the entitlement to apply HIPPA regulations and rules.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.