OCR Settles Improper PHI Disposal Case, Resolves Potential HIPAA Violation
New England Dermatology agreed to pay $300,640 to resolve a potential HIPAA violation after it threw away specimen containers labeled with PHI in an unsecured garbage bin.
Source: Getty Images
By Jill McKeon
- The HHS Office for Civil Rights (OCR) settled a case with New England Dermatology and Laser Center (NEDLC) to resolve a potential HIPAA violation involving improper protected health information (PHI) disposal. NEDLC paid $300,640 to OCR and agreed to implement a corrective action plan.
The Massachusetts-based practice filed a breach report with OCR in May 2021 stating that empty specimen containers with labels that included PHI were thrown away in a garbage bin in the practice’s parking lot. What’s more, on March 31, 2021, a third-party security guard found one specimen container with a label containing PHI in the parking lot.
The labels included patient names, birth dates, dates of sample collection, and the name of the provider who took the specimen.
“NEDLC stated that it regularly discarded specimen containers with an attached label that contained PHI as regular waste, bagged and placed in an exterior dumpster accessible via the parking lot, without alteration to the PHI containing label,” OCR stated. “This practice was in effect from February 4, 2011 until March 31, 2021.”
OCR’s New England Regional Office investigated the incident and found potential HIPAA Privacy Rule violations, including the impermissible use and disclosure of PHI and failure to employ appropriate safeguards to maintain the privacy of PHI.
The settlement does not equate to an admission of liability by NEDLC. The practice agreed to implement a corrective action plan that requires it to develop, maintain, and revise its policies and procedures surrounding the handling of PHI.
NEDLC is also required to designate a privacy official who is responsible for the implementation of those policies, and it must distribute the new policies to all members of the workforce and relevant business associates within 30 days of HHS approval.
Additionally, NEDLC must submit an implementation report and annual reports to HHS and must train its workforce members to handle PHI in compliance with its updated policies and procedures.
“Improper disposal of protected health information creates an unnecessary risk to patient privacy,” Melanie Fontes Rainer, acting OCR director, explained in the announcement.
“HIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public.”
In its announcement, OCR also linked to HHS guidance surrounding the proper disposal of PHI to help organizations avoid similar situations. The HIPAA Privacy Rule requires covered entities to implement appropriate administrative, technical, and physical safeguards to protect PHI at all times.
“Thus, covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” the guidance stated.
“However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps.”
Covered entities are not permitted to throw PHI away in publicly accessible dumpsters unless the PHI has been rendered unreadable. Instead, covered entities should consider using a disposal vendor as a business associate to safely discard PHI. Alternatively, organizations could place PHI in a locked dumpster that is only accessible by authorized individuals.
