Practice Fined for Tossing PHI in Parking Lot DumpsterSettlement Shows Challenges of Properly Disposing of Patient Info
Proper disposal of any form of patient information, whether electronic or paper, is a cornerstone of HIPAA privacy and rules, and the practice of throwing patients’ empty specimen containers in a dumpster has cost a Massachusetts dermatology group $300,640 in fines.
The investigation began in May 2021 after a third-party security guard patrolling the parking lot behind New England Dermatology and Laser Center in Springfield found a single specimen container with a patient’s name, date of birth, date of sample collection and the name of the provider on the label, according to Department of Health and Human Services' Office for Civil Rights.
The matter was referred to HHS OCR, which subsequently found the practice had been improperly disposing many patients' protected health information for more than a decade, according to a settlement issued Tuesday that included the fine a corrective action plan for potential violations of the HIPAA privacy rule.
“HIPAA-regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public,” says Melanie Fontes Rainer, acting director of HHS OCR in a statement.
The practice of dumping the specimens without shredding the labels was in effect from Feb. 4, 2011 to March 31, 2021, HHS OCR says, affecting an unspecified number of patients. The dermatology group’s website lists 15 physicians and other clinicians practicing in four local offices.
Neither NEDLC nor HHS OCR immediately responded to Information Security Media Group's request for comment and additional details about the case.
All HIPAA-covered entities and business associates should heed the warnings emerging from this case, says regulatory attorney Rachel Rose.
"In my experience representing clients post-breach in front of HHS OCR, their investigations are always thorough and they look backward for a pattern," she says. "A decade-old specimen disposal practice that flagrantly [allegedly] violated such a fundamental aspect of HIPAA justifies the settlement amount," she says.
Dumpster Driving and Social Engineering
Regulators take the disposal of PHI so seriously because it can provide cybercriminals with a wealth of information for identity theft and a variety of email and online scams.
"Social engineering, which cybercriminals deploy in various ways, including phishing emails and dumpster diving, cannot be under-emphasized and should be incorporated into training, as well as policies and procedures," she says.
Shredding patient records before they go to the dumpster is the best approach, but it’s not that easy for some types of PHI, says privacy attorney Adam Greene of the law firm David Wright Tremaine.
"Disposing of PHI on labels can be challenging. It often cannot be shredded using standard paper shredders," he says. "Healthcare providers may check with the vendor that handles their medical waste regarding whether they can securely destroy containers with PHI."
Proper shredding and other types of disposal that destroy any PHI should be included in organizations' policies and procedures, advises Rose.
If a third-party is utilized, a certificate is often provided by the vendor after each shredding, she says.
"A similar process is followed for servers and other hard drives when they are sanitized or destroyed."
The latest settlement is among a handful of other HIPAA enforcement actions by HHS OCR in recent years involving the improper disposal of patient PHI.
In 2014, HHS OCR smacked Ohio-based Parkview Health System with a $800,000 HIPAA settlement as a result of an incident in June 2009 involving the paper medical records of 5,000 to 8,000 patients.
Employees at Parkview, a not-for-profit organization serving northeast Indiana and northwest Ohio, had deposited 71 cardboard boxes of patient records at the end of a driveway of a physician's home, within 20 feet of a public road.
More recently, in 2018, HHS OCR entered a $100,000 HIPAA settlement with Filefax, a now-defunct medical records storage company that was at the center of a 2015 "dumpster diver" breach affecting the disposed paper records of more than 2,000 patients.
One of the most expensive settlements came from California regulators in 2015 when grocery store chain Safeway was ordered to pay a $9.87 million penalty for the improper disposal of confidential pharmacy records and hazardous waste in dumpsters.
Corrective Action Plan
As part of its resolution agreement with HHS OCR in the case, NEDLC has agreed to implement a corrective action plan in addition to paying the financial settlement.
Corrective actions include:
- Developing, maintaining, and revising its written policies and procedures to comply with the federal standards that govern the privacy of individually identifiable health information;
- Submitting those written policies and procedures to HHS OCR for the agency's approval;
- Implementing those approved policies and procedures and distributing them to all members of the practice's staff and relevant business associates;
- Providing training related to the policies and procedures to all employees.
"HIPAA-covered entities and business associate should review their disposal procedures for both written PHI in whatever form, as well as for electronic PHI," says privacy attorney Iliana Peters of the law firm Polsinelli, a former senior adviser at HHS OCR.
That includes devices and media that may have to be destroyed instead of wiped, as wiping does not dispose of ePHI for all types of devices as media, she says.
The goal in properly disposing of computing devices and media containing patient information "is to ensure they don’t have any PHI that is 'slipping through the cracks,'" she adds.