$300,640 HIPAA Penalty Issued Due to Improper PHI Disposal

New England Dermatology P.C. based in Massachusetts, dba New England Dermatology and Laser Center (NDELC), decided to resolve an alleged HIPAA Privacy Rule violation case by paying a $300,640 penalty to the HHS’ Office for Civil Rights (OCR).

On May 11, 2021, NDELC informed OCR regarding a privacy violation that affected the protected health information (PHI) of 58,106 individuals. On March 31, 2021, NDELC discarded empty containers of specimens in a usual dumpster in a parking lot at the NDELC. The containers got labels written with the patients’ names, birth dates, sample date of collection, and the names of the companies that got the samples. OCR looked into the incident and NDELC showed it was a common practice to discard empty specimen containers with waste materials. The workers are doing this practice from February 4, 2011 up to March 31, 2021.

The administrative safety measures of the HIPAA Privacy Rule – 45 C.F.R. § 164.530(c) – require the implementation of proper administrative, physical and technical safeguards to keep the privacy of PHI safe. Covered entities should fairly protect PHI to control accidental uses or disclosures, and should fairly protect PHI from any deliberate or accidental use or disclosure. If the protected health information does not require legal retention, it should be discarded safely, meaning protected health information should be in essence made unreadable, indecipherable, and or can’t be reconstructed before disposal.

Besides violating 45 C.F.R. § 164.530(c), OCR confirmed there was an impermissible PHI disclosure to unauthorized persons, violating 45 C.F.R. § 164.502(a). NDELC decided to resolve the case without admitting any liability. Besides having to pay a financial penalty, NDELC has consented to employ a corrective action program, including two years of supervision.

Improper removal of protected health information results in an unwanted risk to patient data security, stated Acting OCR Director Melanie Fontes Rainer. Entities covered by HIPAA need to take all the steps to make sure of safety when discarding patient data. Patient information must be kept from public access. Rainer succeeded Lisa J. Pino in July 2022. Pino acted as OCR Director for up to 10 months.

OCR has been busy because of HIPAA enforcement. There were 17 HIPAA cases in 2022 that were resolved with financial penalties. There were 19 cases with financial penalties issued in 2020.