Tossing PHI in The Trash Can be an Expensive Mistake

Last week, the Office for Civil Rights (OCR) reminded us of the importance of the basics when it comes to protecting patient information.  On August 23rd, it announced a HIPAA enforcement action involving tangible protected health information (PHI) that a practice tossed out with the rest of the trash.

For over a decade, PHI in the form of detailed labels on empty specimen containers went out with the regular trash of New England Dermatology, P.C., d/b/a New England Dermatology and Laser Center (NEDLC). On March 31, 2021, a security guard came across such a specimen container in the parking lot of NEDLC.  The PHI on the specimen label included patient names, dates of birth, dates of sample collection, and name of the provider who took the specimen.

Shortly after the security guard’s discovery, NEDLC reported the breach to OCR along with the fact that the practice of tossing the containers in the trash persisted for more than 10 years.  There is no indication as to the number of individuals’ information involved and there probably was no way for NEDLC to know.  Likely due to the obvious and repeated nature of the improper disclosure, NEDLC agreed to pay $300,640 and to follow a corrective action plan to settle the matter.

Hopefully, no practical advice is required here.  But to be certain:  DON’T THROW PHI IN THE TRASH.

For those of you keeping score, this is the 17th announced HIPAA enforcement action of the year with the total in settlements and penalties at just under $2 million.  Right of Access matters are in the lead (13), with improper disclosures (3) and security rule issues (1) trailing far behind.