Share this article on:
Urological Associates of Southern Arizona, a urology clinic based in Tucson, has announced that it has discovered it has been breaching HIPAA regulations by improperly disposing of material containing Protected Health Information. Up to 3,000 patients could potentially have been affected.
Some employees at its Tanque Verde and Green Valley clinics were not shredding the labels on urine sample cups after they had been used, instead they disposed of them in the regular trash. This suggests that the individuals had not received appropriate training on HIPAA Rules.
The labels contained patient names, dates of birth, physician names, dates of service and an internal chart reference number. No Social Security numbers were exposed in the incident. While this is a violation of HIPAA rules, the clinic does not believe that any of that information has been accessed or used for criminal purposes.
The clinic has issued breach notification letters to the affected patients to apologize for the incident, and to alert them to the possibility that their information has been exposed. They have also been advised that policies have been updated to prevent future breaches from occurring.
Heavy Fines Possible For Improper Dumping
The Department of Health and Human Services’ Office for Civil Rights enforces Health Insurance Portability and Accountability Act Rules and can fine organizations up to $1.5 million for a HIPAA violation. Since this breach has been allowed to occur for three years, a maximum fine of $4.5 million could be issued, and more if other classes of HIPAA violations are discovered by investigators.
This does not appear to be a case of willful neglect with regards to the disposal of PHI, as it was company policy to destroy all health information prior to disposal. However, it would appear that this was not always the case and the disposal of PHI was not being monitored.
Data Breaches Easily Caused by a Lack of Training
HIPAA-covered entities may implement all the technical and physical controls to secure PHI; however if staff are not trained on HIPAA Rules covering the disposal of confidential information, data breaches and accidental disclosures are likely to occur.
It is essential that all staff required to come into contact with PHI receive full training on Privacy and Security Rules, and that compliance is monitored internally.
It is also essential that a through risk assessment is performed covering digital data and all other forms of PHI. In this case, since the data breach lasted for three years, it suggests that either a risk assessment was not performed, or that it was not a routine procedure. A potential violation of the HIPAA Security Rule.