After a long stretch of breach enforcement actions and settlements arising out of alleged technology gaps, the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced that it settled a case that involved improper disposal of physical protected health information (PHI). This case unusual for its quick resolution, but that is likely a byproduct of the fact that it would be hard to defend, given OCR’s well-settled advice on this issue. This case serves as a reminder to covered entities that, while electronic medical records and security rule violations are more the norm, they must still recognize paper records as a possible source of a breach.
Just over a year after New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (NEDLC), reported a breach, OCR announced on August 23, 2022, that it settled with NEDLC. On May 11, 2021, NEDLC filed a breach report with OCR stating that it improperly disposed of empty specimen containers, the labels for which contained PHI. NEDLC placed the containers in a dumpster in its parking lot. The containers’ labels included patient names and dates of birth, dates of sample collection, and the name of the provider who took the specimen. The issue came to light on March 31, 2021, when a third-party security guard found one of the specimen containers in the parking lot, outside of the dumpster. NEDLC stated that it disposed of specimen containers in this way, without removal of PHI, from February 4, 2011, until March 31, 2021. The OCR’s database of archived reported breaches indicates that NEDLC identified 58,106 patients impacted by this issue.
The Resolution Agreement and the Corrective Action Plan (CAP), state that OCR’s investigation identified two potential violations: 1) failure to “maintain appropriate safeguards to protect the privacy of PHI, as required by the Privacy Rule (see 45 C.F.R. § 164.530(c)),” and 2) impermissible disclosure of “PHI to unauthorized individuals in violation of the Privacy Rule (see 45 C.F.R. § 164.502(a)).” Neither the Resolution Agreement nor the CAP discussed how the “Resolution Amount” of $300,640 was calculated.
The CAP obligates NEDLC to develop, maintain and appropriately revise written policies and procedures in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule (45 C.F.R. Part 160 and Subparts A and E of Part 164), including designation of a privacy official to implement those policies and procedures, and provide them to OCR for review and approval. The CAP stated that the Privacy Rule policies and procedures must contain, at a minimum:
- A policy for the disposal of all PHI created, received or maintained by the covered entity.
- Protocols for training all workforce members who are involved in handling and disposing of PHI as necessary and appropriate to ensure compliance with the policies and procedures.
- Procedures to review and update as necessary the covered entity’s policy for the physical safeguarding of PHI.
- Protocols for training all workforce members who are involved with handling PHI to ensure compliance with the policies and procedures.
- Application of appropriate sanctions against workforce members who fail to comply with policies and procedures for safeguarding and disposal of PHI.
The CAP also requires NEDLC to provide OCR with its training materials for review and approval and obtain electronic certification from workforce members once training is completed annually and at the time of onboarding. As is customary, NEDLC is required to file annual reports of compliance as well as reports of any workforce member’s or business associate’s violation of its policies and procedures.
Improper disposal is not unique to NEDLC. OCR’s database of reported breaches impacting over 500 patients indicates that since 2010, 115 such breach reports have been filed with the type of breach identified as “improper disposal.” Seven of those incidents, which were reported between December 2020 and June 2022, are still under investigation. This Resolution Agreement signals that covered entities and business associates cannot lose sight of physical safeguards of PHI, even as ransomware and other technology intrusions continue to dominate the news cycle.