Improper PHI Disposal Leads to $300,000 HIPAA Penalty for Massachusetts Dermatology Practice
The HHSโ Office for Civil Rights (OCR) has announced its 17th financial penalty of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). New England Dermatology P.C., dba New England Dermatology and Laser Center (NDELC), a Massachusetts provider of dermatology services, has settled the case for $300,640. In addition to paying a financial penalty, NDELC has agreed to adopt a robust corrective action plan and will be monitored by OCR for compliance for a period of 2 years.
OCR launched an investigation of NDELC in response to a May 11, 2021, report of a breach of the protected health information of 58,106 patients. Empty specimen containers had been disposed of in a regular dumpster in NDELCโs parking lot. The containers had labels that included patientsโ protected health information, including name, date of birth, sample collection date, and the name of the provider who took the specimen.
During the course of the investigation, NDELC confirmed that this was not an isolated incident and that there had been a policy in place to dispose of empty containers along with regular waste between February 4, 2011, and March 31, 2021. HIPAA requires all protected health information to be rendered unreadable and indecipherable prior to disposal, to prevent the impermissible disclosure of sensitive patient information.
OCR determined that there was a lack of appropriate safeguards to ensure the privacy of protected health information, which violated 45 C.F.R. ยง.R. ยง. NDELC settled the case with no admission of liability.
โImproper disposal of protected health information creates an unnecessary risk to patient privacy,โ said Acting OCR Director Melanie Fontes Rainer. โHIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public.โ