By Dan Russo
DUBUQUE — After closing operations in Dubuque in April, Planned Parenthood of the Heartland left about 2,500 confidential medical records behind, exposing its patients to a possible breach of privacy that could have legal consequences.
The documents were found by the building’s new owner, Clarity Clinic, May 6 during a walk through an hour before closing by realtors for both parties, Kris Nauman, executive director for Clarity Clinic, a Clarity board member, and Clarity’s development director. Clarity Clinic representatives immediately contacted Planned Parenthood, which sent someone to pick the files up 10 days later, according to Nauman. She said the records were found in a closet that still had a key in the lock.
“Our Medical Director reached out to the Iowa medical board on May 9” said Nauman. “I don’t know what they have done.”
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), a federal law that protects the privacy of medical records, states that doctors and medical clinics are responsible for safeguarding the privacy of their patients’ medical records. If a breach occurs involving more than 500 records, the medical provider is required to contact each patient, as well as the Secretary of Health and Human Services (HHS) and local media outlets. Patients who feel their privacy has been violated can file a complaint with the HHS office of Civil Rights. The HHS has the ability to investigate if a “breach” occurred as a result of a lack of “reasonable diligence” or “willful neglect,” according to the HIPAA law.
“Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated,” states the law.
If found in violation of the act, Planned Parenthood could face fines of anywhere from $100 to $50,000 or more for each violation, according to the law. A representative of the Department of Health and Human Services contacted by The Witness would not confirm or deny whether an investigation has begun, stating that: “We don’t comment on open or potential cases.” The representative declined to be identified.
The HHS has acted to enforce violations of the HIPAA law in recent years. In 2009, the federal government reached a resolution agreement with CVS Pharmacy. The company agreed to pay $2.25 million in fines. In 2010, Rite Aid Pharmacy paid $1 million to settle a HIPPA privacy case. Cornell Prescription Pharmacy settled a HIPAA case in April 2015 by paying a $125,000 fine and taking other agreed upon actions. Iowa also has laws governing medical clinics, but Iowa Board of Medicine spokesman Mark Bowden said those regulations would be enforced by the Iowa Department of Inspections and Appeals, not his organization.
“The situation in Dubuque is unusual,” said Bowden in an email to The Witness. “Abandonment of records does come up occasionally, but I don’t recall a recent case similar to the one you describe.”
According to Bowden, the Board of Medicine does not have authority to investigate a clinic.
“Our purview are licensed physicians,” he said. “We do not report possible violations of HIPAA to the Office of the Inspector General in cases such as the situation in Dubuque because we do not investigate these cases. They are outside of our authority. In the Dubuque case, we encouraged the finder (of the records) to contact Planned Parenthood. If we received a complaint about a physician failing to secure medical records, we would investigate that case.”
Medical services, including telemed abortions under the supervision of a physician, were provided at the Dubuque clinic, but Bowden said the Iowa Board of Medicine has no knowledge of any complaints being filed about a specific doctor.
Planned Parenthood of the Heartland did not return phone calls from The Witness requesting comment, but issued a press release on the incident.
“Planned Parenthood of the Heartland is deeply committed to the privacy and confidentiality our patients have come to expect and rely upon,” said Chief Clinical Officer Penny Dickey in the statement. “We sincerely regret that this incident occurred and are currently conducting a comprehensive examination of our processes to ensure such an incident will never occur again.”
Planned Parenthood has contacted all patients affected by the possible breach. The files left behind contained social security numbers, diagnosis, treatment and other confidential information, according to the statement.
PHOTO: An exam room at the Planned Parenthood South Austin Health Center in Austin, Texas, is shown June 27. In a 5-3 vote that day, the U.S. Supreme Court struck down restrictions on Texas abortion clinics that required them to comply with standards of ambulatory surgical centers and required their doctors to have admitting privileges at local hospitals. (CNS photo/Ilana Panich-Linsman, Reuters)