By Marla Durben Hirsch , contributing writer
Providers continue to be confused as to how to dispose of their trash without running afoul of HIPAA. But the stakes are now higher – because it’s often the provider’s trash collector that’s exposing the patient data that’s in the garbage.
The Department of Health and Human Services’ Office for Civil Rights, (OCR) which enforces HIPAA’s privacy and security rules, has published guidance on proper disposal methods. While HIPAA doesn’t require particular processes, OCR suggests several, such as shredding, burning, pulping or pulverizing the records so that patient protected health information (PHI) is unreadable and cannot be reconstructed. Records treated this way are considered “secure”; a breach of them doesn’t even have to be reported.
However, many providers still don’t realize that they need to take this step as part of disposal. A number of them, including CVS, Rite Aid and Cornell Prescription Pharmacy have settled alleged HIPAA violations after disposing of unsecured records and other materials containing PHI in unlocked publicly accessible dumpsters. State attorneys general have also fined providers, even solo practitioners, for faulty trash disposal.
And it gets worse, since many providers have turned to outside vendors to dispose of their trash, and the vendors are making mistakes and exposing the PHI, violating HIPAA. The provider is ultimately liable even though it has entrusted the vendor to perform the disposal.
A simple Google search reveals a multitude of these incidents.
For example, the disposal company hired by physician owned Radiology Regional Center, with several facilities in Florida, exposed patient PHI in December 2015 when the back of the truck transporting the records to an incinerator opened, spilling the contents all over the road. While the Center spent considerable time combing the area and retrieving the records, it still had to notify 483,663 patients about the breach. The incident triggered a lawsuit in 2016 from several patients who claim, among other things, that the doctors were unaware of their obligations regarding proper trash disposal and admitted ignorance regarding it. That lawsuit is still pending.
And that may not be all. OCR has for the first time has begun to train its sights on mistakes being made business associates. In 2016 the agency resolved several enforcement actions with providers and business associates for security breaches caused by the business associates. It would not be surprising for OCR to investigate Radiology Regional and other providers whose records have been compromised by their disposal company.
Review all of your business associate agreements with those handling PHI on your behalf to ensure that you are adequately protected in case the business associate exposes patient information. For example, the business associate should pay for the costs of the breach, such as the expense of notifying patients and offering them free credit monitoring. OCR has a model business associate agreement that can help you.
If you delegate trash disposal and destruction to an outside vendor, make sure you know how the vendor will safeguard the information and dispose of it. For instance, look to see if the containers the disposal company is using are sturdy. Ensure that the vendor’s staff is trained in HIPAA compliance.
Be proactive to the extent possible regarding your trash. Consider having the trash incinerated on site so it doesn’t have to be transported. Make the trash unreadable yourself before giving it to the vendor to cart away, say by shredding it or obliterating PHI with a marker. Had Radiology Regional Center taken some of those steps, it may not have been in the hot spot it is today.