Improper PHI Disposal Leads to $300,000 HIPAA Penalty for Massachusetts Dermatology Practice
The HHS’ Office for Civil Rights (OCR) has announced its 17th financial penalty of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). New England Dermatology P.C., dba New England Dermatology and Laser Center (NDELC), a Massachusetts provider of dermatology services, has settled the case for $300,640. In addition to paying a financial penalty, NDELC has agreed to adopt a robust corrective action plan and will be monitored by OCR for compliance for a period of 2 years.
OCR launched an investigation of NDELC in response to a May 11, 2021, report of a breach of the protected health information of 58,106 patients. Empty specimen containers had been disposed of in a regular dumpster in NDELC’s parking lot. The containers had labels that included patients’ protected health information, including name, date of birth, sample collection date, and the name of the provider who took the specimen.
During the course of the investigation, NDELC confirmed that this was not an isolated incident and that there had been a policy in place to dispose of empty containers along with regular waste between February 4, 2011, and March 31, 2021. HIPAA requires all protected health information to be rendered unreadable and indecipherable prior to disposal, to prevent the impermissible disclosure of sensitive patient information.
OCR determined that there was a lack of appropriate safeguards to ensure the privacy of protected health information, which violated 45 C.F.R. § 164.530(c) of the HIPAA Privacy Rule, and a violation of 45 C.F.R. § 164.502(a) of the HIPAA Privacy Rule due to the impermissible disclosure of the PHI of patients. OCR determined the prolonged period that the policy was in place warranted a financial penalty. NDELC settled the case with no admission of liability.
“Improper disposal of protected health information creates an unnecessary risk to patient privacy,” said Acting OCR Director Melanie Fontes Rainer. “HIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public.”