OCR settles case over improper disposal of protected health information
Investigation leads to $300,640 HIPAA settlement and corrective action plan
Today, the Office of Civil Rights (OCR) of the Department of Health and Human Services announced a settlement with New England Dermatology PC, d/b/a New England Dermatology and Laser Center (“NDELC”), regarding the improper disposal of health information, a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) privacy rule. As a result, NEDLC paid $300,640 to OCR and agreed to implement a corrective action plan to resolve this investigation. NEDLC is located in Massachusetts and provides dermatology services.
On May 11, 2021, the NEDLC filed a violation report with the OCR stating that empty sample containers with protected health information on the labels were placed in a trash can in their parking lot. The container labels included the names and dates of birth of the patients, the dates the sample was taken, and the name of the provider who took the sample. The OCR investigation, conducted by OCR’s New England regional office, revealed potential breaches of the HIPAA privacy rule, including inadmissible use and disclosure of PHI and failure to maintain appropriate safeguards to protect the confidentiality of PHI.
“The improper disposal of protected health information creates an unnecessary risk to patient privacy,” said OCR Acting Director Melanie Fontes Rainer. “HIPAA-regulated entities must take all necessary steps to ensure safeguards are in place when disposing of patient information to prevent it from being publicly available.”
In addition to monetary settlement, the NEDLC will undertake a robust corrective action plan that includes two years of monitoring. A copy of the Resolution Agreement and Remedial Action Plan can be viewed at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/nedlc-ra-cap/ index.html
OCR has helpful FAQs regarding HIPAA and the disposal of protected health information: https://www.hhs.gov/sites/default/files/disposalfaqs.pdf
If you believe that a HIPAA-covered entity or its business partner has violated your (or someone else’s) health information privacy rights or otherwise violated privacy, security or breach notification, you can file a complaint with OCR: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf