Is Your Trash a HIPAA Violation?
In the case of the New England Dermatology and Laser Center (NEDLC), their trash was a violation. And a costly one with a $300,640 fee attached. A security guard found a container with identifying information on the attached label. As a result, an investigation by the Department of Health & Human Services (HHS) Office of Civil Rights (OCR) followed.
The empty specimen containers contained protected health information (PHI) for 58,106 patients. This included the patient names, birthdates, sample collection dates, as well as the provider names who took the specimens. The investigation revealed that it had been NEDLC’s standard practice to dispose of such containers with their regular waste removal from February 4, 2011, until March 31, 2021.
Why It Matters
The HIPAA Privacy Rule contains several administrative safeguards to protect patient PHI. When legally retaining PHI is no longer necessary, disposal is the next step of the lifecycle. And that must be done securely. PHI must be rendered unreadable, indecipherable, and unable to be reconstructed prior to disposal. Regarding the investigation, acting OCR Director Melanie Fontes Rainer said, “Improper disposal of protected health information creates an unnecessary risk to patient privacy”. She continued, “HIPAA regulated entities should take every step to insure that safeguards are in place when disposing of patient information to keep it from being accessible by the public.”
In addition to the fine, NEDLC has agreed to several corrective steps to prevent future violations. This includes submitting compliance reports to the OCR for two years. HIPAA Secure Now can help you to review your healthcare business. Ensure that you are HIPAA compliant and cyber strong to defend your business against cybercrime. Let’s review your business and mitigate the gaps in your business that leave you vulnerable.