PHI Here, There, and Everywhere - Liability for Improper Disposal of Items Containing PHI
September 14, 2022
By: Robert A. Anderson and
The Health & Human Services, Office of Civil Rights (“OCR”) recently settled with a dermatology practice, New England Dermatology and Laser Center (the “Practice”), after the Practice voluntarily disclosed that it had thrown specimen containers that contained patient names, dates of birth, dates of sample collection, and the name of the provider in a parking lot dumpster. A security guard found a container in the Practice’s parking lot. The Practice paid a fine of $300,640 and agreed to implement a “robust corrective action plan”. In addition, OCR publicized its investigation and the Practice’s mishandling of PHI that led to the settlement and the fine. As it always does, OCR named names.
The notice of the settlement published by OCR raises a few points worth considering. First, the Practice self-reported the breach after it became aware of what was occurring. While exceedingly uncomfortable, HIPAA requires covered entities to self-report breaches. OCR did not specify, but self-reporting likely mitigated the amount of the fine.
Second, OCR published the Practice’s name. The adverse publicity was likely embarrassing and counter-productive to the Practice’s interests. Years of efforts to build up patient good will and trust can be compromised by an unfortunate act of carelessness or disposal practice that does not meet the privacy and safeguarding requirements of HIPAA.
Finally, HIPAA breaches can occur outside the usual context of computer network hacks and paper charts. In this case, PHI had attached to the specimen containers and required more careful attention to their disposal. PHI may not be discarded into dumpsters or other containers that are accessible by the general public or other unauthorized people. While such practices violate HIPAA, HHS does not provide specific disposal or destruction practices for items containing PHI. Instead, covered entities must determine what is reasonable, include the same in its policies, and train its workforce on appropriate disposal and destruction policies.
In published FAQ’s, OCR notes that proper disposal methods may include:
- For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
- Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
- For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
Proper disposal policies are generally exercises in applied common sense. However, carelessness or the failure to properly train a workforce can lead to significant liability and adverse publicity for a provider. For questions regarding the proper disposal of items containing PHI or other HIPAA-related issues, contact Robert A. Anderson or Alexandria M. Foster.
Disclaimer. The contents of this article should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult with counsel concerning your situation and specific legal questions you may have.
Practices
Industries
September 14, 2022
By: Robert A. Anderson and
The Health & Human Services, Office of Civil Rights (“OCR”) recently settled with a dermatology practice, New England Dermatology and Laser Center (the “Practice”), after the Practice voluntarily disclosed that it had thrown specimen containers that contained patient names, dates of birth, dates of sample collection, and the name of the provider in a parking lot dumpster. A security guard found a container in the Practice’s parking lot. The Practice paid a fine of $300,640 and agreed to implement a “robust corrective action plan”. In addition, OCR publicized its investigation and the Practice’s mishandling of PHI that led to the settlement and the fine. As it always does, OCR named names.
The notice of the settlement published by OCR raises a few points worth considering. First, the Practice self-reported the breach after it became aware of what was occurring. While exceedingly uncomfortable, HIPAA requires covered entities to self-report breaches. OCR did not specify, but self-reporting likely mitigated the amount of the fine.
Second, OCR published the Practice’s name. The adverse publicity was likely embarrassing and counter-productive to the Practice’s interests. Years of efforts to build up patient good will and trust can be compromised by an unfortunate act of carelessness or disposal practice that does not meet the privacy and safeguarding requirements of HIPAA.
Finally, HIPAA breaches can occur outside the usual context of computer network hacks and paper charts. In this case, PHI had attached to the specimen containers and required more careful attention to their disposal. PHI may not be discarded into dumpsters or other containers that are accessible by the general public or other unauthorized people. While such practices violate HIPAA, HHS does not provide specific disposal or destruction practices for items containing PHI. Instead, covered entities must determine what is reasonable, include the same in its policies, and train its workforce on appropriate disposal and destruction policies.
In published FAQ’s, OCR notes that proper disposal methods may include:
- For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
- Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
- For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
Proper disposal policies are generally exercises in applied common sense. However, carelessness or the failure to properly train a workforce can lead to significant liability and adverse publicity for a provider. For questions regarding the proper disposal of items containing PHI or other HIPAA-related issues, contact Robert A. Anderson or Alexandria M. Foster.
Disclaimer. The contents of this article should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult with counsel concerning your situation and specific legal questions you may have.