Improper PHI Disposal Leads to $300,000 HIPAA Penalty for Massachusetts Dermatology Practice

New England Dermatology and Laser Center HIPAA fine

The HHSโ€™ Office for Civil Rights (OCR) has announced its 17th financial penalty of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). New England Dermatology P.C., dba New England Dermatology and Laser Center (NDELC), a Massachusetts provider of dermatology services, has settled the case for $300,640. In addition to paying a financial penalty, NDELC has agreed to adopt a robust corrective action plan and will be monitored by OCR for compliance for a period of 2 years.

OCR launched an investigation of NDELC in response to a May 11, 2021, report of a breach of the protected health information of 58,106 patients. Empty specimen containers had been disposed of in a regular dumpster in NDELCโ€™s parking lot. The containers had labels that included patientsโ€™ protected health information, including name, date of birth, sample collection date, and the name of the provider who took the specimen.

During the course of the investigation, NDELC confirmed that this was not an isolated incident and that there had been a policy in place to dispose of empty containers along with regular waste between February 4, 2011, and March 31, 2021. HIPAA requires all protected health information to be rendered unreadable and indecipherable prior to disposal, to prevent the impermissible disclosure of sensitive patient information.

OCR determined that there was a lack of appropriate safeguards to ensure the privacy of protected health information, which violated 45 C.F.R. ยง.R. ยง. NDELC settled the case with no admission of liability.

โ€œImproper disposal of protected health information creates an unnecessary risk to patient privacy,โ€ said Acting OCR Director Melanie Fontes Rainer. โ€œHIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public.โ€

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/