What You Need to Know:
- The Privacy Rule requires that covered entities have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI in any form.
- HIPAA covered entities (“Covered Entities”) must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of PHI.
- Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI, an OCR investigation, and financial consequences.
- Covered Entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.
- In determining what is a reasonable disposal method, Covered Entities should (i) assess potential risks to patient privacy; and (ii) consider such issues as the form, type, and amount of PHI to be disposed.
- Proper disposal methods may include, but are not limited to:
- For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
- Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
- For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
On May 11, 2021, NEDLC filed a breach notification report with OCR stating empty specimen containers that were labeled with PHI had been placed in a dumpster located in NEDLC’s parking lot. On March 31, 2021, one specimen container bearing a label containing PHI was found in the parking lot by a third-party security guard. NEDLC confirmed that it regularly discarded specimen containers with an attached label that contained PHI (including patient names, dates of birth, dates of sample collection, and name of the provider who took the specimen) as regular waste, bagged and placed in an exterior dumpster accessible via the parking lot, without alteration to the PHI containing label. NEDLC used this dumpster and protocol from February 4, 2021 until March 31, 2021. HHS’ investigation concluded that NEDLC did not maintain appropriate safeguards to protect the privacy of PHI as required by the Privacy Rule and had impermissibly disclosed PHI to unauthorized individuals in violation of the Privacy Rule.
The two-year CAP requires NEDLC to develop, maintain, and revise, as necessary, its written policies and procedures to comply with the Privacy Rule, designate a privacy official who is responsible for the development and implementation of such policies and procedures, train its workforce members accordingly, and prepare reports to HHS.
Saul Ewing has previously written about OCR HIPAA settlements, including those relating to alleged improper disposal of PHI under the Privacy Rule, including this Alert and this Alert.
NEDLC was required to pay a sizeable settlement, notwithstanding NEDLC’s timely filing of a breach notification report with OCR and confirmation of only one specimen container bearing a label containing PHI being found by a third-party security guard.
HIPAA compliance continues to be essential for HIPAA-Covered Entities and their business associates. PHI – in paper or electronic format – must be properly protected; otherwise, the Covered Entity or business associate may face consequences for its choices.
NEDLC’s settlement amount is an important and costly reminder to Covered Entities to review carefully their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps.