Proper Disposal of PHI Required, Often Overlooked
The Office for Civil Rights (OCR) announced a settlement with a Massachusetts dermatology clinic regarding the improper disposal of protected health information (PHI), which serves as a reminder HIPAA compliance is not only about protecting data from hackers. Covered entities also are responsible for disposing of PHI appropriately. The clinic paid $300,640 to OCR and agreed to implement a corrective action plan.
The investigation began when the clinic filed a breach report with OCR, saying it placed empty specimen containers with PHI labels in a garbage bin in their parking lot. “The labels included patient names and dates of birth, dates of sample collection, and name of the provider who took the specimen,” OCR reported. In addition to the monetary settlement, the clinic must complete a corrective action plan that includes two years of monitoring.1
This is the classic “low-hanging fruit” situation, says Brad Rostolsky, JD, partner with Reed Smith in Philadelphia. The government always will capitalize on such a blatant failure to comply with the most basic HIPAA requirements.
“A regulated entity’s improper disposal of PHI suggests one of two things. First, an unfortunate situation caused by human error; or second, a failure to prioritize the basic tenets of healthcare privacy and security measures,” Rostolsky says. “As much as people make mistakes, the regulators will likely view certain situations as indicative of a company’s overt disregard for patients’ privacy concerns.”
Shred Bins Most Common
Most covered entities use locked shred bins to dispose of tangible material containing PHI, says Richard Sheinis, JD, partner with Hall Booth Smith in Charlotte, NC. Usually, that is paper, but the Massachusetts case shows facilities must also properly dispose of non-paper items, like labeled test tubes, in a secure way.
Larger facilities may use their own in-house shredding capabilities, but many contract with outside vendors that periodically collect materials from the locked bins and shred the materials offsite. In that case, the covered entity must have a business associate agreement with that vendor.
“Paper is fairly easy, but what I’ve seen medical providers get in trouble with is what happens between the creating of paper PHI and when it gets to the shred bin,” Sheinis notes. “Clerical staff in an office create and handle a lot of paper with insurance information and other PHI, and they may follow the policy of using the locked shred bin when they’re done with it. But in the meantime, they might leave those documents laying around on desks and counters, unprotected and visible to people.”
That is problematic because any passerby may view PHI just with a glance, even if they do not intentionally pick up the document and read it. Sheinis has been involved with such cases, and has heard explanations from employees suggesting they regularly take unneeded PHI documents to the shred bin at the end of the day, or even once a week.
“That is not a good way to do it,” Sheinis says. “Those documents are available to anyone in the office — the cleaning people who come in at the end of the day, and of course to anyone who is up to some nefarious activity and is actually there to steal information.”
The proper handling of paper PHI has been drilled into covered entities, and many OCR investigations that led to large penalties have occurred over documents found in unsecured dumpsters and similar situations. Violations regarding paper PHI still occur, but most healthcare facilities at least use safeguards, even if they do not always follow them properly.
That is not always the case with tangible but non-paper PHI, Sheinis says, and that might be why the Massachusetts clinic ended up with test tubes in an unsecured trash bin.
“Facilities that can handle their own paper shredding on site may not be able to dispose of things like test tubes. If they outsourced the paper shredding, they probably would have included them. But if they shred their own paper, maybe this can get overlooked,” Sheinis says. “But there are vendors who do this, just as there are vendors who pick up their sharps for disposal.”
Covered entities should create policies on disposal of PHI in all forms, including retention and destruction policies for documentation that must be retained for some time, such as patient health records. Retaining such documentation longer than necessary only creates a breach risk.
“I’ve been involved in cases where covered entities had records that went back 20 or 30 years. They never got rid of it, and when they had a security breach, instead of dealing with records from just the past five years we’re dealing with thousands more records going back for decades,” Sheinis notes.
Disposal of devices is another issue that can be overlooked. Desktop computers, laptops, smartphones, and many other devices can retain PHI even if the files were “deleted.”
“I know of one case in which a hospital was storing a bunch of old computers in a storeroom until they got around to throwing them out, and they got in trouble for that because the PHI on those computers was not protected at all,” Sheinis explains. “What they really needed to do was dispose of those computers properly by wiping them clean rather than just unplugging them and putting them in storage. Once they are truly wiped, you theoretically could toss them in a dumpster.”
Shredding Must Be Secure
The Massachusetts settlement underscores the need to pay careful attention to patient information in all forms, says Matt Fisher, JD, general counsel for Carium, a telehealth and remote patient monitoring company based in Petaluma, CA.
“A lot of security discussions center on electronic documents, but physical ones can easily create a concern, too. When destroying physical documents, a healthcare organization should ensure that the documents are made completely unreadable, which usually translates to shredding,” Fisher says. “The shredding can be done on site or by sending to an outside facility in a protected container.”
If the documents are sent to an outside facility, then it is important to establish a documented relationship with that outside facility and confirm the documents were securely destroyed, Fisher says. If a healthcare organization chooses to shred internally, then a shredding method should be chosen that does not allow information to remain visible or for the documents to be put back together.
“The compliance considerations all add up to paying careful attention to the details and double-checking to make sure privacy is maintained,” Fisher says.
REFERENCE
- Office for Civil Rights. OCR settles case concerning improper disposal of protected health information. Aug. 23, 2022.
SOURCES
- Matt Fisher, JD, General Counsel, Carium, Petaluma, CA. Phone: (508) 603-9202. Email: [email protected].
- Richard Sheinis, JD, Partner, Hall Booth Smith, Charlotte, NC. Phone: (980) 859-0381. Email: [email protected].
The Office for Civil Rights announced a settlement with a Massachusetts dermatology clinic regarding the improper disposal of PHI, which serves as a reminder HIPAA compliance is not only about protecting data from hackers. Covered entities also are responsible for disposing of PHI appropriately.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.