The HIPAA Privacy Rule requires covered entities to “have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.” 45 C.F.R. § 164.530(c). Covered entities must reasonably safeguard PHI from intentional or unintentional disclosure, which includes implementing policies and procedures for disposing of PHI. And workforce members – especially those involved in disposing of PHI, or who supervise others who dispose of PHI – must receive training on disposing of PHI. This includes volunteers. See 45 CFR 160.103 (definition of “workforce”).
Over the years, covered entities have faced government scrutiny for improper disposal of records. Unfortunately, improper disposal of PHI continues to occur (intentionally and unintentionally). Such was the case resulting in a $300,000 settlement.
On August 23, 2022, the Office for Civil Rights at the U.S. Department of Health and Human Services (“OCR”) announced that New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (“NDELC”) paid $300,640 to resolve potential HIPAA violations arising from improper disposal of PHI. In May 2021, NDELC notified OCR of a HIPAA breach involving the PHI of 58,106 patients. NDELC’s breach report explained that empty specimen containers with PHI on the labels were disposed of in the garbage bin in their parking lot. The labels on the specimen containers contained PHI, such as name, date of birth, date of sample collection, etc. The subsequent OCR investigation found potential violations of HIPAA, including impermissible use and disclosure and failure to maintain proper safeguards to protect the privacy of PHI.
While HIPAA does not specify or require specific destruction methods, “HIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public,” as explained by Acting OCR Director Melanie Fontes Rainer. Covered entities should also note that OCR has published “Frequently Asked Questions About the Disposal of Protected Health Information,” where it directly explained that “covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized person.” Covered entities must analyze their particular circumstances to determine reasonable actions to safeguard PHI. “In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed of,” according to OCR.
Covered entities should evaluate their policies and procedures related to HIPAA and confirm that their employees are trained on the policies and procedures. Covered entities should also go one step further and confirm that the actual practices of employees comply with HIPAA and its policies and procedures. Far too often employees know the policies and receive proper training, but for various reasons, do not act in a compliant manner.
The attorneys at Chilivis Grubman assist businesses of all types and sizes in connection with HIPAA-related matters, including breach response, breach notification, OCR investigations, and resulting civil litigation. If you need assistance with such a matter, please contact us today.