The medical records of over 10K patients of a Naperville, IL-centered psychoanalyst – Dr. Riaz Baber have been found in the underground room of a property by the lady who leased the house from Dr. Riaz Baber. The records had been stowed in the underground room for no less than four years.
The lessee, Barbara Jarvis-Neavins, was supposedly delivered a key to the underground room by the psychoanalyst’s spouse as access was needed when workmen had to go to the property. She was informed that she had to go along with workmen when they required access.
Jarvis-Neavins stated she desired to inform the existence of the records – and that she might access the storing area – however, believed that by doing this she would be requested to evacuate the house. When she was informed that she had to go out because the house was being vended, she got in touch with law enforcement – including the Federal Bureau of Investigation – and state officials to inform the unsafe records. The Federal Bureau of Investigation referred her to the Division of Health and Human Services’ OCR and she recorded a grievance. She also got in touch with NBC 5.
NBC 5 correspondents followed up on the clue and included the story in March 2017. She told correspondents cases of records were stowed in the underground room and that the records “has [patients] name, their birthdate, their address, their social security number, what was wrong with them, what they were being cared for, and what medicine.”
NBC 5 correspondents visited the house and got in touch with Dr. Baber. His lawyer replied and issued a declaration verifying the tenant must not have had access to the underground room, that a button was never provided, and that the files were safe and the gates to the underground room were sealed. The records were supposedly detached from the house the day after NBC 5 got in touch with Dr. Baber.
On September 28, 2017, the OCR was notified of the breach of 10,500 records of Dr. Riaz Baber. It’s not clear why it took 6 months for the breach to be informed when HIPAA Rules need a breach report to be presented within 60 days of finding.
Covered units, as well as their BAs that make a decision to stock physical records like charts, x-ray films, doctors’ notes, or documents off-site, should implement technical, administrative, and physical controls to make sure the integrity, confidentiality, and availability of patients’ PHI. Access to the service should also be limited to avoid illegal people from accessing PHI. In this instance, a few of the records were retrieved by Jarvis-Neavins and the correspondents, even though no harm seems to have been produced to patients.