HHS Resolution Agreement: New England Dermatology, P.C. (July 26, 2022); HHS News Release (Aug. 23, 2022)
HHS’s Office for Civil Rights (OCR) has announced a $300,640 settlement with a medical facility (a HIPAA covered entity) to resolve alleged violations of the HIPAA privacy rule. OCR began its investigation after the facility filed a breach notification report stating that empty specimen containers labeled with protected health information (PHI) had been placed in a dumpster in the facility’s parking lot. The specimen containers included a label with PHI that included patient names, birth dates, collection dates, and names of the provider who took the specimen. The facility admitted that, over a ten-year period, it had routinely discarded specimen containers with labels that contained unaltered PHI with its regular trash in an exterior dumpster that was available to the public. OCR concluded that the facility did not maintain appropriate safeguards to protect the privacy of PHI, and that it had impermissibly disclosed PHI to unauthorized individuals.
In addition to the settlement payment, the facility agreed to a two-year corrective action plan (CAP). The CAP requires the facility to develop, maintain, or revise its policies and procedures to comply with the HIPAA privacy rule, and such policies must be reviewed and approved by OCR. The facility must designate a privacy official who is responsible for the development and implementation of HIPAA privacy policies and procedures, and a contact person or office who will receive complaints. The approved policies and procedures must be distributed to workforce members and business associates, who must certify in writing or electronically that they have read, understood, and will abide by them. The facility must update the policies and procedures at least annually (subject to OCR review and approval). The facility must also provide training materials to its workforce within 60 days of OCR approval, and at least annually thereafter. Each workforce member who is required to attend training must certify, in electronic or written form, that they have received the training. The facility must submit an implementation report followed by annual compliance reports for the duration of the CAP.
EBIA Comment: OCR has specifically stated in FAQ guidance that covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. Failure to implement reasonable safeguards to protect PHI in connection with waste disposal (such as removing or obliterating any individually identifiable information) can result in impermissible disclosures of PHI and costly liability under HIPAA. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XX.D (“Resolution Agreements”) and XXVIII.C (“Safeguards (the ‘Mini-Security Rule’)”).
Contributing Editors: EBIA Staff.