A dermatology practice has agreed to pay $300,640 to the Office for Civil Rights (OCR) to settle a HIPAA investigation “over the improper disposal of protected health information.” The New England Dermatology and Laser Center (NEDLC) also agreed to implement a two-year corrective action plan. NEDLC is located in Massachusetts and provides dermatology services.
OCR began investigating NEDLC in 2021 after the dermatology practice submitted a breach report stating empty specimen containers labeled with protected health information (PHI) were placed in a dumpster located in their parking lot. The containers’ labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen.
Improper Disposal Lasted for Ten Years
A security guard in the parking lot found a specimen bottle and turned it in to NEDLC on March 31, 2021. NEDLC then filed a breach report with OCR, explaining that the breach was caused by the improper disposal of specimen bottles by its in-house pathology laboratory. Treating the specimen bottles as regular trash by placing them in an unsecure garbage bin was inadequate to safeguard the PHI they contained.
Instead the lab should have been sending the specimen bottles for shredding or incineration because they had printed labels containing PHI. The information on the bottles included patients’ first and last names, birth dates, dates of specimen collection, name of provider who took the specimen, and the body part from which the specimen was taken. The regular trash, including this PHI, was collected by a waste contractor that serviced the building and was sent to landfill.
The improper disposal lasted for ten years, from 2011 until 2021.
Learn How to Dispose of Protected Health Information
OCR’s guidance on disposal of PHI states that covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. On the other hand, the HIPAA Privacy and Security Rules do not require a particular disposal method. OCR’s FAQs About the Disposal of Protected Health Information can be found here.
The FAQ’s state that when it comes to non-electronic PHI, in general, examples of proper disposal methods may include, but are not limited to:
- For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
- Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
HIPAA Risk Assessment Uncovers Gaps
Remember that HIPAA Risk Assessment covers privacy and security of PHI of all kinds, not just electronic media. Although most patient records today are in electronic format, a huge amount of PHI still exists on paper, on film and in files, stored on or off-site. A thorough risk analysis helps you inventory all the PHI in your care to make sure you have the proper safeguards in place to maintain, transmit or dispose of PHI.