The United States Department of Health and Human Services Office for Civil Rights (“OCR”) announced a $300,640 settlement and corrective action plan with a dermatology provider over the improper disposal of protected health information (“PHI”).
Background
In May of 2021, the dermatology provider reported a breach to OCR when empty specimen containers with PHI on the labels were placed in a garbage bin in their parking lot. Additionally, one of the specimen containers was found in the parking lot by a third-party security guard. The disclosed PHI included patient names and dates of birth, dates of sample collection and name of the provider who took the specimen. During the investigation, OCR learned that the provider “regularly discarded specimen containers with an attached label that contained PHI as regular waste, bagged and placed in an exterior dumpster accessible via the parking lot, without alteration to the PHI containing label.” As a result of this breach, OCR found the provider had violated HIPAA based on the impermissible use and disclosure of PHI and the failure to maintain appropriate safeguards to protect the privacy of PHI. In guidance referenced by OCR in its announcement, OCR reminds covered entities that they are not permitted to abandon or dispose of PHI that has not been appropriately obscured in dumpsters or other containers that are accessible by the public or other unauthorized persons. In certain, justifiable cases, considering factors such as the size and type of covered entity and the nature of the PHI, depositing PHI in locked dumpsters that are accessible only by authorized persons, such as appropriate refuse workers, may be permissible.
HIPAA Requirements
The HIPAA Privacy Rule requires covered entities to apply appropriate administrative, technical and physical safeguards to protect the privacy of PHI. Covered entities are required to implement reasonable safeguards to limit incidental and avoid prohibited uses and disclosures of PHI, including when disposing of such information. Although HIPAA does not specify any particular method of disposal, it does provide the following examples of some proper disposal methods based on the format of the information:
- For PHI in paper records, shredding, burning, pulping or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable and otherwise cannot be reconstructed.
- Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
- For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) or destroying (disintegration, pulverization, melting, incinerating or shredding) the media.
In determining what is a reasonable method for proper disposal, covered entities should assess potential risks to patient confidentiality and the type of PHI that is being disposed. When PHI contains highly sensitive information, such as social security numbers, financial information or diagnosis information, a higher level of care is required to ensure disposal is conducted in a manner that protects patient privacy.
Covered entities are also required to implement policies and procedures to address the final disposition of PHI and the hardware or electronic media on which it is stored. Procedures must also address removal of electronic PHI from electronic media before it is made available for re‑use. Covered entities must train their workforce members on the appropriate disposal of PHI in accordance with such policies and procedures.
Practical Takeaways
This settlement provides a reminder to covered entities of the importance of regularly reviewing organizational processes to assess how PHI is created, maintained, transmitted and disposed. Policies and procedures should be updated to address appropriate disposal of PHI in all circumstances and workforce appropriately trained on compliance with such policies and procedures even where only limited amounts of PHI are impacted.
If you have any questions or would like additional information about this topic, please contact:
- Stephane Fabus at (414) 721-0904 or sfabus@hallrender.com;
- Krystal Villarruel at (317) 429-3639 or kvillarruel@hallrender.com; or
- Your primary Hall Render contact.
Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.
