Naperville Psychiatrist May Have Had PHI of 10,500 Patients Exposed

by Ryan Coyne | Oct 18, 2017

The medical details of in excess of 10,000 patients of a Naperville, IL-based psychiatrist – Dr. Riaz Baber, M.D. – have been located in the basement of an Aurora residence by the female who rented the house from the psychiatrist.

The files in question had been kept in the basement for a minimum of at least four years.

The woman, Barbara Jarvis-Neavins, was allegedly given a key to the basement by the psychiatrist’s spouse as access was needed when workmen had to visit the residence. She, Ms. Jarvis-Neavins, was told that she was had to accompany workmen when they needed to access the basement.

Jarvis-Neavins said she wished to report the presence of the files, and that she was able to access the storage area, but thought that by doing this she would be asked to vacate the property by the landlord. When she was advised that she had to leave the house was being sold, she contacted law enforcement – including the FBI – and state regulators to report the incident. The FBI referred her to the Department of Health and Human Services’ Office for Civil Rights and she submitted a complaint. She also contacted media outlet NBC 5.

NBC 5 reporters investigation the tip off and broadcast the story in March, 2017. She advised reporters that boxes of files were stored in the basement and that the files there “has [patients] name, their address, their birthdate, their social security number, what’s wrong with them, what they’re being treated for, and what medication.”

NBC 5 reporters went to the property and contacted Dr. Baber. His attorney released a statement confirming the tenant should not have been given access to the basement, that a key was never given to her, and that the records were secured and the doors to the basement were locked. The files were believed to have been removed from the property the day after NBC 5 contacted Dr. Baber.

On September 28, 2017, the Office for Civil Rights was made aware of the breach of 10,500 records of Dr. Riaz Baber. It is not obvious exactly why it took six months for the breach to be officially reported, when HIPAA Rules require a breach report to be filed within 60 days of identification.

Covered organizations and their business associates that choose to store physical records such as physicians’ notes, charts, x-ray films, or documents off site must put in place administrative, technical, and physical measure to ensure the confidentiality, integrity, and availability of patients’ protected health information (PHI). Access to the facility must also be restricted to stop unauthorized people from accessing PHI. In this case, some of the files were accessed by Jarvis-Neavins and the reporters, although no damage seems to have been done to patients.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter