The Health Insurance Portability and Accountability Act’s primary enforcer, the Office for Civil Rights (OCR) has recently settled a violation case with the New England Dermatology and Laser Center (NDELC) resulting in a $300,640 financial penalty to resolve violations of the HIPAA Privacy Rule.
On March 31, 2021, the NDELC disposed of empty specimen containers in an exterior dumpster in its parking lot. An empty specimen container holding PHI was then discovered by a third-party security guard. The empty specimen containers held lots of sensitive personal information including patient names, birth dates, addresses, providers that obtained the specimens, and sample collection dates. The NDELC submitted a breach report to the OCR admitting improper disposal of PHI of more than 58,000 patients.
An immediate forensic investigation was launched by the OCR to determine how and what information had been disclosed without authorization. The OCR discovered that the NDELC’s improper disposal of the containers was common practice from February 4, 2011 until March 31, 2021. Under the administrative safeguards of the HIPAA Privacy Rule, entities subject to HIPAA are required to reasonably safeguard PHI. This entails rendering it unreadable, indecipherable, and otherwise impossible to reconstruct before destruction. The OCR determined that the NDELC had failed to do this.
“Improper disposal of protected health information creates an unnecessary risk to patient privacy,” said Acting OCR Director Melanie Fontes Rainer. “HIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public.”
The NDELC agreed to settle the HIPAA violation case with a financial penalty of $300,640 and have agreed to implement a Corrective Action Plan to ensure further protection of the PHI they manage. The Corrective Action Plan includes a distribution and updating of policies and procedures, further training for employees, annual reports of HIPAA compliance, and 2 years of credit monitoring for affected individuals free of charge. Despite these agreements, the NDELC has made no admission of liability.
