HHS Settlement: Dumpster-Diving Leads to Settlement for Improper Disposal of Documents Containing Protected Health Information

Akerman LLP - Health Law Rx
Contact

The U.S. Department of Health and Human Services Office for Civil Rights (HHS) recently announced that it has reached an agreement with a small pharmacy to resolve potential HIPAA violations. The settlement arose from the disposal of unsecured paper documents containing protected health information (PHI) of the Pharmacy’s customers. The more well-known data breaches usually involve the improper disclosure of electronic PHI maintained by large covered entities, but this settlement is a good reminder that a covered entity, regardless of its size, must maintain the confidentially of PHI, regardless of whether it is maintained in electronic or non-electronic form.

HHS began its investigation in 2012 after being notified by a news station, which reported that documents containing the PHI of over 1,600 individuals had been discarded into an unsecured dumpster on the property of Cornell Prescription Pharmacy. These documents, which were not shredded, contained specifically identifiable information on the Pharmacy’s patients. Upon investigation, HHS determined the Pharmacy, which is a single-location pharmacy specializing in compounding medicines and providing services to local hospice care agencies, had violated the HIPAA Privacy Rule by:

  • failing to reasonably safeguard PHI;
  • failing to implement written policies and procedures; and
  • failing to train employees on policies and procedures

Although the settlement was not an admission of liability, the Pharmacy agreed to pay HHS $125,000 and implement an extensive corrective action plan (CAP). Because the Pharmacy had never developed and adopted the policies and procedures required under the HIPAA Privacy Rule, the CAP imposed significant additional obligations, including the development and submission to HHS for approval the required policies and procedures. The Pharmacy is also required to conduct appropriate training and submit annual reports for two years regarding its compliance with the CAP. Because the Pharmacy had never adopted or implemented the required policies and procedures, the costs of complying with the CAP are likely to be significant and are in addition to the $125,000 settlement payment.

Although the HIPAA Privacy Rule has been in place for over a decade, this settlement demonstrates there are covered entities or business associates that are not fully compliant with applicable provisions of HIPAA. In connection with this settlement agreement, HHS released an FAQ document about proper disposal of paper and electronic PHI. The announcement of this settlement also likely signals increased enforcement activities by HHS in the coming months and highlights the importance for covered entities and business associates, whether large or small, to take appropriate steps to minimize the chances of impermissible disclosures of PHI (in any format) and any resulting enforcement action by HHS. At minimum, a covered entity or business associate should:

  1. Ensure their privacy and security policies and procedures reflect the requirements of the HITECH Act and the HIPAA Omnibus Rule that was effective September 23, 2013 and that workforce members are trained to implement and follow these policies and procedures;
  2. At least annually conduct a thorough risk analysis to identify and mitigate security risks and vulnerabilities associated with PHI and adopt or revise policies accordingly;
  3. In the event of a suspected privacy breach, timely comply with breach investigation and notification requirements; and
  4. Determine whether existing general liability or professional liability policies provide coverage for data breach incidents and if not, contact their insurance broker about obtaining such coverage.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akerman LLP - Health Law Rx | Attorney Advertising

Written by:

Akerman LLP - Health Law Rx
Contact
more
less

Akerman LLP - Health Law Rx on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.