Earlier this year, the United States Department of Health and Human Services Office for Civil Rights (HHS OCR) announced the settlement of a case involving improper disposal of physical protected health information (PHI).
On May 11, 2021, New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (NEDLC) filed a breach report with HHS OCR, stating that it improperly disposed of empty specimen containers that had labels with PHI on them. NEDLC stated that they placed the containers in the dumpster in its parking lot and that the labels included patient names, dates of birth, dates of the sample collection, and the name of the provider that took the specimen. The issue was found on March 31, 2021, when a security guard found one of the specimen containers outside the dumpster in the parking lot.
NEDLC admitted that it had disposed of specimen containers in its parking lot dumpster, without removing the PHI from the labels, from February 4, 2011, through the date of the realization, March 31, 2021, impacting more than 58,000 patients. According to an FAQ published by HHS, entities may not dispose of PHI in dumpsters accessible by the public “unless the …PHI has been rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster.”
As part of the settlement, NEDLC will pay $300,640 and undertake a “robust corrective action plan that includes two years of monitoring.”
According to the Resolution Agreement and Corrective Action Plan (CAP), OCR found two potential violations: (1) a failure to “maintain appropriate safeguards to protect the privacy of PHI, as required by the Privacy Rule” and (2) impermissible disclosure of PHI “to unauthorized individuals in violation of the Privacy Rule.”
The two-year CAP requires that NEDLC will develop, maintain, and revise written policies and procedures in accordance with the HIPAA Privacy Rule, including designating a privacy official to implement the policies and procedures and submit them to OCR for review and approval. Under the CAP, the policies and procedures must include: a policy for the disposal of all PHI created, received, or maintained; protocols for training all employees who are involved in handling and disposing of PHI as necessary and appropriate to ensure compliance; procedures to review (and update) the policy for physical safeguarding of PHI; and appropriate sanctions against employees and other workers who do not comply with the policies and procedures.
The CAP also requires that NEDLC provide its training materials to OCR for review and approval, as well as electronic certification from employees that the training is completed at the time of hiring and on an annual basis. NEDLC is also required to file annual reports of compliance along with any reports of policies and procedures violations.
“Improper disposal of protected health information creates an unnecessary risk to patient privacy,” said Acting OCR Director Melanie Fontes Rainer. “HIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public.”
This case serves as a reminder to covered entities that while most have largely moved to electronic medical records and therefore, security rule violations have been more prevalent in recent years, paper records can still serve as a source for breaches of privacy.