Once again, the Department of Health and Human Services’ Office for Civil Rights (OCR) has used a HIPAA violator’s garbage as an example for others of how to comply with the Privacy Rule – and what happens when you don’t.
Denver-area Cornell Prescription Pharmacy has just learned this the hard way, agreeing to pay $125,000 to settle allegations of HIPAA violations for the inadequate disposal of patient protected health information (PHI). OCR launched an investigation into Cornell after receiving a tip from a local news outlet. OCR found that Cornell disposed of unsecured documents containing PHI in unlocked, open, publicly accessible containers on its premises. The documents were also not shredded.
And what was probably a tipping point for OCR: not only had Cornell failed to dispose of PHI in accordance with HIPAA, it appeared to have little interest in complying with its other provisions, such as implementing “any” written policies and procedures or training staff, according to OCR’s announcement of the settlement.
Cornell is a small, single site pharmacy that specializes in supporting hospices.
No one method of disposal required
HIPAA requires covered entities to take “reasonable” safeguards regarding the disposal of PHI. However, it does not mandate any particular method, and allows entities some flexibility. Disposing of PHI in a dumpster that is publically accessible is a no-no, unless the PHI “has been rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster,” OCR clarifies in an answer to frequently asked questions.
According to OCR, examples of proper disposal methods may include, but are not limited to:
For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
In justifiable cases, based on the size and the type of the covered entity, and the nature of the PHI, depositing PHI in locked dumpsters that are accessible only by authorized persons, such as appropriate refuse workers.
Also remember that if PHI is secured and later stolen or otherwise compromised, the breach does not need to be reported to HHS. Only unsecured PHI must be reported. HHS issued guidance in 2009 clarifying the extent to which PHI must be destroyed in order for it to be “secure.” For example, redaction is not sufficient.
There are several additional takeaways from this settlement:
Size is not a factor when it comes to HIPAA. OCR seems to prefer to use different types of covered entity when it uses a resolution agreement to teach a lesson to the industry. Previous resolution agreements have been signed by small physician practices, solo practitioners, large health plans, state agencies, hospitals, pharmacies and others.
The media likes exposing HIPAA violations. The press finds it newsworthy. And while all alleged HIPAA violations are problematic, it’s easier - and juicier - for the media to go dumpster diving outside and post photos of your trash than it is to reveal that your Notice of Privacy Practices is missing an update required by the 2013 omnibus rule.
If OCR has signed a resolution agreement for a particular violation, make sure you’re not committing the same violation. While OCR resolves most HIPAA violations informally, when it signs a resolution agreement, it’s sending a specific message and means business. For example, this is not the first time that the agency has used a resolution agreement and imposed a fine on a pharmacy for improper disposal of patient records after being alerted to it by the media. (Remember CVS? Rite Aid?)
Prepare for the deeper dive. If OCR launches an investigation into an entity for an alleged HIPAA violation, don’t expect OCR to limit its investigation to that violation. It will look to see what the entity’s overall HIPAA compliance scorecard is. If you’re not meeting the fundamentals (or trying to), the OCR will be less lenient.