On August 23, 2022, the Department of Health & Human Services, Office for Civil Rights (OCR) announced that it settled alleged HIPAA violations with a dermatology practice under a settlement agreement under which the practice is required to pay a civil penalty of $300,640 and to implement the terms of a two-year corrective action plan. At issue were allegations that the provider discarded empty specimen containers in a garbage dumpster located in the parking lot of the provider’s offices, each with a label containing the patient name, date of birth, date of sample collection, and the name of the provider who took the specimen. The OCR found potential violations of the HIPAA Privacy Rule, including the impermissible use and disclosure of protected health information (PHI).
“Improper disposal of protected health information creates an unnecessary risk to patient privacy,” said Acting OCR Director Melanie Fontes Rainer. “HIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public.”
This settlement should serve as a reminder to health care providers and their business associates of the absolute need to use caution when discarding any documents or
items containing PHI, even minimal amounts of PHI. Proper disposal might include, for example, engaging a shredding contractor to destroy or shred items and documents and providing a certificate of destruction or shredding to the provider. All such documents should be saved with the business’s HIPAA records for a period of at least six years.
