Improper Disposal of PHI Results in $300,640 HIPAA Penalty
Massachusetts-based New England Dermatology P.C., dba New England Dermatology and Laser Center (NDELC) has agreed to settle a HIPAA violation case with the HHS’ Office for Civil Rights (OCR) and has paid a $300,640 penalty to resolve alleged violations of the HIPAA Privacy Rule.
On May 11, 2021, NDELC notified OCR about a privacy breach involving the protected health information of 58,106 patients. On March 31, 2021, NDELC disposed of empty specimen containers in a regular dumpster in the MDELC parking lot. The containers had labels that included patients’ names, dates of birth, sample collection date, and the names of the providers who took the specimens. OCR investigated the incident and NDELC revealed it was a standard practice to dispose of empty specimen containers with regular waste, and that practice had been in effect from February 4, 2011, until March 31, 2021.
The administrative safeguards of the HIPAA Privacy Rule – 45 C.F.R. § 164.530(c) – require appropriate administrative, technical, and physical safeguards to be implemented to protect the privacy of protected health information. Covered entities must reasonably safeguard protected health information to limit incidental uses or disclosures, and must reasonably safeguard protected health information from any intentional or unintentional use or disclosure. When protected health information no longer needs to be legally retained it must be disposed of securely in accordance with HIPAA compliance rules, which means protected health information must be essentially rendered unreadable, indecipherable, and otherwise cannot be reconstructed prior to disposal.
In addition to a violation of 45 C.F.R. § 164.530(c), OCR determined there had been an impermissible disclosure of PHI to unauthorized individuals, in violation of 45 C.F.R. § 164.502(a). NDELC chose to settle the case with no admission of liability. In addition to paying a financial penalty, NDELC has agreed to implement a corrective action plan, which includes two years of training and monitoring.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
“Improper disposal of protected health information creates an unnecessary risk to patient privacy,” said Acting OCR Director Melanie Fontes Rainer. “HIPAA-regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public.” Rainer replaced Lisa J. Pino in July 2022. Pino held the post of OCR Director for 10 months.
It has been a busy year of HIPAA enforcement for OCR. 22 HIPAA cases have been resolved with financial penalties, more than any other year to date.
