A recent settlement announced by the HHS's Office for Civil Rights ("OCR") is a great reminder for all covered entities, including group health plans, to remain vigilant in protecting PHI. OCR recently announced a settlement with a HIPAA covered entity over the covered entity's improper disposal of PHI under the HIPAA privacy and security rules ("HIPAA Rules"). In this case, the covered entity was a health care provider that routinely disposed of empty specimen containers labeled with PHI by placing them in an outdoor unprotected garbage bin. A breach of PHI occurred when one of the labeled containers was found by a third-party security guard.
Upon its investigation into the breach, OCR determined that (i) the covered entity did not maintain appropriate safeguards to protect the privacy of PHI, as required by the HIPAA Rules, and (ii) the covered entity impermissibly disclosed PHI to unauthorized individuals in violation of the HIPAA Rules. Under the settlement agreement, the covered entity was required to pay $300,640 in penalties to OCR and to undertake a corrective action plan with two years of monitoring by OCR.
The HIPAA Rules require covered entities (which include employer-sponsored group health plans) to apply appropriate administrative, technical, and physical safeguards to protect the privacy of PHI in any form, including in connection with the disposal of PHI. However, the HIPAA Rules do not prescribe any particular disposal methods. Instead, covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal and then develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to the privacy of the PHI, as well as consider such issues as the form, type, and amount of PHI that is subject to disposal.
Covered entities are also required to ensure their workforce members receive training on, and follow, a covered entity's policies and procedures regarding the disposal of PHI as appropriate for each member.
Links to (i) OCR's settlement agreement with the covered entity, (ii) HHS's related press release, and (iii) OCR FAQs concerning HIPAA and the disposal of PHI are here, here, and here, respectively.