Massachusetts-based New England Dermatology P.C., dba New England Dermatology and Laser Center (NDELC), has agreed to settle a HIPAA violation case with the HHS’ Office for Civil Rights (OCR) and has paid a $300,640 penalty to resolve alleged violations of the HIPAA Privacy Rule.
On May 11, 2021, NDELC notified OCR about a privacy breach involving the protected health information of 58,106 patients. On March 31, 2021, NDELC disposed of empty specimen containers in a regular dumpster in the MDELC parking lot. The containers had labels that included patients’ names, dates of birth, sample collection date, and the names of the providers that took the specimens. OCR investigated the incident and NDELC revealed it was a standard practice to dispose of empty specimen containers with regular waste, and that practice had been in effect from February 4, 2011, until March 31, 2021.
The administrative safeguards of the HIPAA Privacy Rule – 45 C.F.R. § 164.530(c) – require appropriate administrative, technical, and physical safeguards to be implemented to protect the privacy of protected health information. Covered entities must reasonably safeguard protected health information to limit incidental uses or disclosures, and must reasonably safeguard protected health information from any intentional or unintentional use or disclosure. When protected health information no longer needs to be legally retained it must be disposed of securely, which means protected health information must be essentially rendered unreadable, indecipherable, and otherwise cannot be reconstructed prior to disposal.
In addition to a violation of 45 C.F.R. § 164.530(c), OCR determined there had been an impermissible disclosure of PHI to unauthorized individuals, in violation of 45 C.F.R. § 164.502(a). NDELC chose to settle the case with no admission of liability. In addition to paying a financial penalty, NDELC has agreed to implement a corrective action plan, which includes two years of monitoring.
“Improper disposal of protected health information creates an unnecessary risk to patient privacy,” said Acting OCR Director Melanie Fontes Rainer. “HIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public.” Rainer replaced Lisa J. Pino in July 2022. Pino held the post of OCR Director for 10 months.
It has been a busy year of HIPAA enforcement for OCR. In 2022, 17 HIPAA cases have been resolved with financial penalties, just two short of the record of 19 financial penalties set in 2020.
The post Improper Disposal of PHI Results in $300,640 HIPAA Penalty appeared first on HIPAA Journal.