Dr Riaz Baber, M.D.-a Naperville, Illinois-based psychiatrist-has recently admitted to a breach of patient protected health information (PHI). The breach was discovered medical files of more than 10,000 patients of have been found in the basement of an Aurora property by the woman who rented the house from the psychiatrist. The files had been stored in the basement for at least 4 years, and multiple people had access to the area during that time.
Barbara Jarvis-Neavins-the woman who rented the property from the psychiatrist-was allegedly provided with a key to the basement by the psychiatrist’s wife to allow workmen to access the area when maintenance was needed. She was told that she was required to accompany workmen when they were in the basement to prevent them snooping.
Jarvis-Neavins said she wanted to report the presence of the files and her ability to access the area in which they were stored to the appropriate authorities, but feared that she would be required to vacate the property if authorities knew of the breach. However, she was eventually asked to move of the property as it was being. At this point, she decided to contact local law enforcement and the FBI, as well as the state regulators to report the unsecured files. The FBI referred her to the Department of Health and Human Services’ Office for Civil Rights and she filed a complaint. She also contacted NBC 5, the broadcaster.
NBC 5 reporters followed up on the tip off and covered the story in March, 2017. She told reporters boxes of files were stored in the basement and that the files “has [patients] name, their address, their birthdate, their social security number, what’s wrong with them, what they’re being treated for, and what medication.”
NBC 5 reporters visited the property and contacted Dr. Baber. His attorney responded and issued a statement confirming the tenant should not have had access to the basement, that a key was never provided, and that the records were secured and the doors to the basement were locked. The files were allegedly removed from the property the day after NBC 5 contacted Dr. Baber. On September 28, 2017, the Office for Civil Rights was informed of the breach of 10,500 records of Dr. Riaz Baber. Despite the HIPAA Breach Notification Rules explicitly requiring such a breach report to be submitted within 60 days of discovery, Dr. Baber took nearly 6 months.
Covered entities and their business associates that decide to store physical records such as physicians’ notes, charts, x-ray films, or documents off site must implement administrative, technical, and physical controls to ensure the confidentiality, integrity, and availability of patients’ protected health information (PHI). Access to the facility must also be restricted to prevent unauthorized individuals from accessing PHI. In this case, some of the files were accessed by Jarvis-Neavins and the reporters, although no harm appears to have been caused to patients and they are not at risk of identity theft.