HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Improper Dumping of Patient Medical Records Continues

This month, Allina Health System and Springfield Community Hospital discovered that medical records had been disposed of without first rendering them indecipherable as required by HIPAA. A third healthcare provider has also just been alerted that some of its confidential patient data have allegedly been illegally dumped.

New Alleged Case of PHI Dumping Reported


The latest case of improper dumping of PHI came to light when a local man reported discovering paperwork from the Cottonwood Comfort Dental clinic on the West Mesa, close to Albuquerque. The man had been on the West Mesa collecting shell casings when he discovered hundreds of paper medical records, according to a KRQE News 13 report. The paperwork allegedly contained patient names, Social Security numbers, insurance information and patient addresses.

The man who discovered the records allegedly took them to a recycling center, although reporters from KRQE claim to have seen some of the data and taken it to the Cottonwood clinic.

An investigation into the alleged privacy breach has been launched by Cottonwood Comfort Dental, but the discovery came as a total shock. The dental clinic uses a vendor to securely dispose of PHI when it is no longer needed. In accordance with HIPAA Rules all paper records are shredded by its vendor prior to disposal.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Improper Disposal of PHI Still Occurs Despite Heavy Fines Being Issued


Under HIPAA Rules, all Protected Health Information must be disposed of securely. It must not be possible for paper files or ePHI to be read, reconstructed or deciphered should records be accessed by individuals unauthorized to view them. Even though financial penalties have been issued to covered entities for improperly disposing of patient records, covered entities are still failing to adhere to HIPAA rules.

2015 Cases of Improper Disposal of PHI

HIPAA-Covered Entity Records Reportedly Exposed
Lancaster County EMS 50,000
South Sunflower County Hospital 19,000
Allina Health System 6,000
Planned Parenthood Southwest Ohio 5,000
Wellmont Health System 1,726
National Pain Institute 500


Fines for Improper Disposal of PHI

The Office for Civil Rights can issue severe fines for the improper disposal of PHI, and has done so in the past on numerous occasions.

This year a $125,000 settlement was reached with Cornell Prescription Pharmacy for the improper disposal of PHI. Documents containing PHI were discovered to have been disposed of in a dumpster in 2012. Cornell Prescription Pharmacy is not a major chain, having only one pharmacy. The settlement shows that the size of an organization does not matter when it comes to penalties for HIPAA violations. Financial penalties can and will be issued by OCR if PHI is not disposed of in accordance with HIPAA Rules.

In 2010, Rite Aid settled with OCR after its pharmacy stores improperly disposed of PHI. An investigation was launched by OCR after numerous confidential files were discovered in dumpsters. The organization agreed to pay $1 million to settle potential HIPAA violations uncovered by OCR investigators.

It is not just OCR that fines HIPAA-covered entities for the improper disposal of PHI. State attorneys general also have the power to issue HIPAA penalties. In 2013, Mass. Attorney General Martha Coakley fined the former owners of a medical billing practice – Goldthwait Associates – $140,000 for disposing of old records at a public dump. 67,000 records were exposed in that incident.

CVS Caremark was fined $250,000 in 2013 for the improper disposal of PHI and settled with the Maryland Attorney general’s office after disposing of customer records in regular trash containers. This was not the first time CVS Caremark was ordered to pay a fine for improperly disposing of PHI. In 2009, the company settled with OCR and agreed to a $2.25 settlement, in part for the improper disposal of PHI. The company also agreed to implement new policies that required all of its pharmacies to shred PHI when it was no longer required.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.