Medicare Compliance & Reimbursement

HIPAA:

Ensure PHI Disposal Methods Are Compliant and Secure

Caution: Disregarding HIPAA rules can lead to violations.

With cybersecurity concerns dominating the HIPAA landscape, your practice may rightly be focusing on data safety and IT-related issues. However, you shouldn’t discount the importance of basic HIPAA compliance such as the proper way to dispose of protected health information (PHI).

Why? Merely throwing your patients’ PHI away without securing the data may have dire consequences for your organization.

Context: On Aug. 23, the New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (NDELC) settled charges of potential HIPAA violations with the HHS Office for Civil Rights (OCR), an agency release indicates. The Springfield, Massachusetts-based NDELC agreed to pay the feds $300,640 for improperly disposing of patients’ PHI that resulted in a HIPAA breach. Additionally, the dermatology services provider will enter into a two-year corrective action plan (CAP) that OCR labels “robust.”

Reminder: Over the last few years, COVID has dominated the healthcare realm and Right of Access violations have been a primary target for OCR; however, this case should be a reminder that the feds are still on top of small infractions and a variety of breach types.

“The settlement reinforces that HIPAA compliance includes not only protection of electronic patient records, but proper handling of physical items as well,” explains attorney Mary Connolly with Rivkin Radler LLP in the law firm’s Rivkin Rounds blog.

Review These Critical Case Details

“On May 11, 2021, NEDLC filed a breach report with OCR stating that empty specimen containers with protected health information on the labels were placed in a garbage bin in their parking lot,” according to the OCR release. “The containers’ labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen.”

After receiving the breach report, OCR began an investigation and discovered the potential violations. The agency revealed that NEDLC failed to implement proper compliance to better protect PHI, the release suggests.

“Improper disposal of protected health information creates an unnecessary risk to patient privacy,” cautions OCR Director Melanie Fontes Rainer in the release. “HIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public,” Fontes Rainer adds.

Under the CAP, NEDLC is required to institute a variety of HIPAA Privacy Rule requirements including:

  • Designate a privacy officer to develop and implement a HIPAA compliance plan.
  • Create, update, and modify policies and procedures that protect PHI.
  • Distribute HIPAA materials to staff.
  • Educate employees on the HIPAA-related policies/ procedures, including the risks involved and penalties for non-compliance.
  • Get OCR approval of the plan and submit annual reports during the two years of monitoring.

Resource: Peruse the resolution specifics at www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ nedlc-ra-cap/index.html.

Other Articles in this issue of

Medicare Compliance & Reimbursement

View All