A tenant named Barbara Jarvis-Neavins filed a report against Illinois-based psychiatrist Dr. Riaz Baber for mishandling the medical records of more than 10,000 patients. Apparently, the psychiatrist rented out his property to Jarvis-Neavins who eventually discovered the medical files stored in the basement of the house. Allegedly, the psychiatrist’s wife gave Jarvis-Neavins a key to the basement. When workmen came to the property for a maintenance visit, Jarvis-Neavins needed to accompany the workmen to the basement. Access is necessary so she was given a key.
When Jarvis-Neavins first found out about the files in the basement, she wanted to report that she could access PHI in the property. But she refrained thinking she will be asked to vacate. Later when she was asked to move out because the property was on sale, she eventually reported the unsecured files to the Department of Health and Human Services’ Office for Civil Rights. She also passed the information to NBC5.
NBC 5 reporters covered her story in March 2017. She told about the boxes of medical files with patients’ name, address, birthday, social security number and medical notes. The news report team contacted Dr. Baber who asked his attorney to respond on his behalf. He said that Jarvis-Neavins shouldn’t have had access to the basement and the medicals records were kept secure in the basement. Immediately after NBC 5 contacted Dr. Baber, all the files were taken out of the property.
It’s odd that the Office for Civil Rights only knew about the breach of 10,500 files of Dr. Baber on September 28, 2017 when the fact is it was reported 6 months earlier. HIPAA rules state that the submission of breach report is required 60 days after discovery.
In cases where physical medical records like physician’s notes, x-ray films, charts, etc are to be stored off site, the covered entities and their business associates must put strict controls in place to make sure of PHI (protected health information) integrity and confidentiality. Access to the files should be totally restricted from unauthorized access. In the case of Dr. Baber’s medical records, there was a breach in access and control.