HIPAA: First Dentist Fined

By Linda Harvey | 02/07/2019 |

HIPAA: First Dentist Fined

Disclaimer: Facts are based upon an actual breach investigation. This case is presented for educational purposes only and does not constitute legal advice or a legal opinion.

Improper disposal of dental records

Areas of Impact:

Regulatory compliance; HIPAA compliance: Privacy and security of patient data

Case Summary:
A former Kokomo, Indiana dentist hired a data company called Just the Connection Inc. to destroy the paper records of his former patients.

Instead, the 63 boxes of records containing an estimated 7,000 patient files were discovered by a local TV news station in a church recycling dumpster in
March 2013. The investigative news team viewed the records and discovered names, addresses, phone numbers, medical diagnoses, x-rays, dental information, Social Security and credit card numbers were all contained in the files. The files were given to the Attorney General’s office to further investigate and to manage questions from concerned patients.

Circumstances of the Case:

The former dentist had his license permanently revoked in December of 2011 for fraudulent billing and negligence. In 2013, he was attempting to dispose of patient records from 2002-2007.

Outcome of the Case:

As a result, the former dentist was fined $12,000 under Indiana State Law by the State Attorney General. At the time, Indiana’s Disclosure of Security Breach Act only covered electronic records. Just the Connection, Inc. was not held liable for the breach.

What could have been done differently?

Here are several questions to consider:

  • Was the data company vetted and a business associate agreement signed?
  • Why was the fine so low?

Risk Management Take-Aways:

  • The HITECH Act increased fines and penalties for violations. A covered entity or business associate could be fined by both the state as well as OCR, which did not occur in this case.
  • It’s imperative that covered entities have a Business Associate Agreement in place as soon as the CE enters into a business agreement with the BA.
  • State law can also be a factor in privacy breaches.

Citation:

http://www.kokomotribune.com/news/former-kokomo-dentist-agrees-to-fine-for-violating-hipaa/article_004c3b6c-983d-11e4-bc24-a7d64f554f14.html

Want to discuss?

Do you have thoughts or questions about this topic? Visit the Members Forum and post your questions, thoughts, etc. and we can discuss and help.

Members Forum
Posted in Articles and Updates

Leave a Comment

You must be logged in to post a comment.