Indiana Attorney General Obtains Data Breach/HIPAA Settlement

On Jan. 5, 2015, a Marion County Court entered a Consent Judgment between the Indiana Attorney General and dentist Joseph Beck, regarding the alleged improper disposal of patient records. In the Judgment, Dr. Beck agreed to pay a monetary penalty of $12,000. The Judgment states that the Attorney General filed a Complaint for violation of the Indiana Disclosure of Security Breach Act and HIPAA. According to the Attorney General’s website, in March of 2013, Dr. Beck hired a private company to retrieve and dispose of his patient records, which included names, health information, birth dates, Social Security Numbers, insurance information, and state identification numbers. According to the Attorney General, less than a week later, 63 boxes of patient records were found in a dumpster at a church on the south side of Indianapolis. The Attorney General announced that this was the first time Indiana sued for a violation of HIPAA. This recent settlement serves as a reminder that HIPAA requires disposal of paper records in a secure manner, which does not include discarding the records in a dumpster. Shredding is an acceptable method of disposal. This recent settlement also serves as a reminder that Indiana, like most states, has its own security breach laws that apply to personal information, which includes, but is not limited to, protected health information.