Safeway Fined $10 Million for Improper Disposal of Pharmacy Records and Waste
California prosecutors have reached a $9.87 million settlement with the grocery store chain Safeway for improperly disposing of pharmacy records and hazardous waste in dumpsters. The patient records contained private and confidential medical information and should have been destroyed or rendered unreadable according to California’s Confidentiality of Medical Information Act and the Health Insurance Portability and Accountability Act. Safeway had been disposing of waste and patient pharmacy records improperly for a period of over seven years according to prosecutors. The case relates to a series of waste inspections conducted by state regulators between 2012 and 2013. Inspectors checked the waste at dozens of stores operated by the grocery chain over a period of 18 months. The waste found in dumpster used by Safeway stores was destined for landfill sites. The inspections revealed that approximately 40% of the stores had violated state laws by failing to stop controlled items from being dumped along with regular waste. In a number of cases the inspectors found documents containing...
New Jersey Extends HIPAA: PHI Data Encryption Mandatory
New Jersey Governor, Chris Christie, signed a new law last week that extends the reach of HIPAA, calling for New Jersey healthcare providers to make greater efforts to keep the electronic health records of patients secure. The new law will go into effect in July this year and requires all covered entities to use data encryption software on all electronic devices that contain Protected Health Information. HIPAA does not currently require all health data to be encrypted. The legislation only states that the “encryption of healthcare data must be addressed”. The new law takes this further and mandates encryption. When the law comes into effect in the summer, all end user computer systems including laptop computers, desktop PCs, portable storage devices, tablets and Smartphones will require PHI to be encrypted. The new law states: “Health insurance carriers shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable,...
Error by BlueCross BlueShield of Tennessee Causes HIPAA Privacy Rule Violation
An error at BlueCross BlueShield of Tennessee (BCBST) has lead to the mailing of marketing information to 80,000 members of the TRH Health Plan, and in doing so has inadvertently violated HIPAA Privacy Rule. The healthcare provider has previously had to settle with the Office for Civil Rights for $1,500,000 for past HIPAA violations after 57 computer hard drives were stolen from its facilities; an incident which exposed the personal identifiers and ePHI of over 1 million individuals. The latest HIPAA breach came to light when a number of members of the TRH Health Plan, a not-for-profit service company of Farm Bureau, complained about receiving information from BCBST in the mail. TRH conducted an investigation and has now contacted all 80,000 members to advise them that their contact information may have been used for marketing purposes. The Tennessean was informed by a spokeswoman of BCBST that TRH members were contacted in error. “We made a mistake and included TRH members in a BlueCross Medicare Advantage mail marketing campaign,” she went on to say “The vendors have destroyed...
Inland Empire Health Plan Reports PHI Breach
The decision not to encrypted healthcare data carries a risk that in the event of loss or theft of computer hardware, PHI will be exposed. Inland Empire Health Plan (IEHP) has discovered this following the theft of a desktop computer from its Rancho Cucamonga center on Oct. 28. The incident has affected 1,030 IEHP members. The desktop computer was owned by Children’s Eyewear Sight, a provider of vision services to the health plan’s members. The data exposed in the incident included personal identifiers along with details of past and future appointments and IEHP member ID numbers. No Social Security numbers were exposed, although names, addresses and contact telephone numbers were stored on the laptop computer. A copy of the breach notification letter sent by the IEHP Compliance Department to affected individuals has been posted on the Calif. government website. In the notice plan members are advised that a suspect has been arrested, although the letter does not confirm whether the device was recovered. In accordance with state and federal laws, the incident was been reported to the...
Indiana Attorney General Issues $12,000 HIPAA Fine for Dumped PHI
The Indiana Attorney General’s Office has issued its first fine for Health Insurance Portability and Accountability Act violations pursuant to section 13410(e) of the HITECH Act. The fine of $12,000 was issued to former Kokomo dentist, Joseph Beck, for illegally disposing of the Protected Health Information of his patients. 63 boxes of personal records containing an estimated 7,000 files were discovered in an Olive Branch Christian Church recycling dumpster in March 2013. Beck had hired a data company called Just the Connection Inc., to securely destroy the paper records of his former patients; however the files were discovered during an investigation by Eyewitness News in March 2013 and are believed to have been in the dumpster for up to a week. The investigative team viewed the records to determine their contents and discovered names, addresses, phone numbers, medical diagnoses, x-rays, dental information, Social Security and credit card numbers were all contained in the files. The patients affected had previously visited the Comfort Dental offices in Kokomo or Marion between...



