pen and medical forms

Indiana Medical Providers Are Required to Protect Patient Records from Unauthorized Disclosure

Medical providers in Indiana have a duty to provide a standard level of care to each patient they treat. Individuals in the healthcare field are also required to comply with a number of state and federal laws. For example, medical professionals who fail to obey patient privacy laws can face serious consequences. A former Indiana dentist has reportedly agreed to pay a hefty fine over alleged patient privacy violations.

According to the Office of the Indiana Attorney General, the former Kokomo dentist improperly disposed of more than 60 boxes of unredacted patient records in an Indianapolis dumpster in violation of Indiana privacy laws and the Health Insurance Portability and Accountability Act (“HIPAA”). The boxes apparently contained patient names, addresses, social security numbers, birth dates, and insurance information spanning a period of at least five years. In response to concerns from the owner of the dumpster, the Attorney General’s Office recovered the boxes.

The dentist apparently disposed of the documents after his license was permanently revoked in 2011 following a separate investigation by the Attorney General’s Office. At the time, the dentist was accused of committing negligence and engaging in fraudulent billing practices. In a recent Marion County consent judgment, the former dentist agreed to pay $12,000 to the state over the “egregious” patient privacy violations.

In December, Indiana Attorney General Greg Zoeller proposed legislation that was designed to expand the state’s Disclosure of Security Breach Act to include paper records as well as electronic patient information. The proposed legislation, aimed at preventing identity theft, would also require that personal or financial information stored online be securely kept, deleted when appropriate, and shared only when previously authorized by law or the consumer. The suggested law would also expand consumer and patient notification requirements with regard to data breaches and make business privacy policies more transparent.

All healthcare providers in Indiana are required to maintain patient records in a confidential and private manner. Except in specific and limited circumstances, medical providers must obtain a patient’s consent prior to releasing his or her healthcare records. For example, a doctor may share patient information for treatment purposes, with an individual who is authorized to act on behalf of the patient, and for certain law enforcement purposes. Additionally, records related to Medicaid or CHIP eligibility may only be disclosed to the Office of Medicaid Policy and Planning.

HIPAA is a federal law that requires medical providers to protect individually identifiable health information. Like Indiana’s patient privacy laws, HIPAA states that hospitals, physicians, dentists, and others may not release protected health information except in limited circumstances. Although the law does not provide individuals with a private cause of action over alleged violations, an Indiana Court of Appeals recently upheld a jury’s decision holding an employer liable for a pharmacy worker’s negligent release of a patient’s protected healthcare information.

Medical malpractice lawsuits can be time-consuming and complex. If you were injured by a healthcare provider’s negligent act, you should speak with an experienced personal injury lawyer as soon as possible. To discuss your rights with a Merrillville medical malpractice attorney today, call Theodoros & Rooth, P.C. at (219) 212-2462 or contact us through our website.

Additional Resources:

Former Kokomo dentist agrees to fine for violating HIPAA, by Mike Fletcher, Kokomo Tribune

AG Zoeller, Sen. Merritt propose legislation to protect Hoosiers from identity theft, data breaches, Office of the Indiana Attorney General Press Release dated December 22, 2014