Garbage Can Cause HIPAA Issues

By Matt Fisher, General Counsel, Carium
Twitter: @matt_r_fisher
Twitter: @cariumcares
Host of Healthcare de Jure#HCdeJure

Throwing out the trash is an everyday occurrence whether in personal or business life. However, when it comes to healthcare organizations, it is necessary to think about what trash goes where. The consideration goes beyond the difference between regular waste and hazardous medical waste. Specifically, how should trash that has patient information printed on it be thrown away?

The answer to that question is highlighted in the most recent HIPAA settlement announced by the Office for Civil Rights. The settlement focused on how one physician practice mishandled disposal of specimen containers.

HIPAA Settlement Details

As described by OCR, the physician practice in question had to dispose of unused specimen containers. The specimen containers were not just empty bottles though. The containers were also labeled. The labels contained the patient name, date of birth, date of sample collection, and the name of the clinician who took the sample. The labeled containers that went unused were then thrown away as so-called regular waste. That meant putting in a normal trash bag and then tossing the trash bag in a generally accessible dumpster. As reported by OCR, the practice of throwing the labeled containers into the regular trash went on for a period of ten years.

The practice reported the issue to OCR only after a container with a label was found in the parking lot by a security guard. OCR’s summary of facts indicates that the security guard only found 1 container in the parking lot. The discovery occurred on March 31, 2021. The practice filed its breach notification report with OCR on May 11, 2021. The notification did occur within the 60 day period required by the breach notification rule.

Interestingly, the OCR settlement does not touch upon the time between discovery and providing notification. As noted, the report (which suggests the notification to patients also happened) occurred within the 60 day period. It is also important to remember the language of the breach notification rule that a report can (and should) occur earlier if the information is available. Given the nature of the incident in this settlement, why did it still take so long to submit the report? Arguably, the investigation should not have taken all that much time.

What did the improperly disposed containers cost the practice? $300,640. The number appears pretty big, but if it is distributed across the time period, then the settlement is roughly $30,000 for each year that the improper practice occurred.

How to Handle Trash

What should an organization do with trash that contains PHI? Securely destroy it. Secure destruction has been the subject of guidance from OCR and other settlements in the past. If PHI is not render unreadable, undecipherable, or otherwise incapable of being understood, then problems will arise. If PHI can still be understood, then privacy risks will exist.

When approaching the issue from that perspective, an organization should separate out any trash that includes PHI. Once all trash with PHI is together, then an assessment can occur of how to appropriately destroy it. For example, paper can be sent to a secure shredding facility. In that instance, it may be helpful to obtain a certificate of destruction to prove that the destruction actually occurred. It may come as a surprise to an organization that that does not always occur.

How can containers like those described in the settlement be destroyed? It may depend on the specific type of container, but a healthcare organization can contact a garbage disposal company or other company that can destroy products. The lesson is taking the time to explore how to ensure that PHI cannot be read or found and avoiding the privacy exposure.

HIPAA Compliance

The settlement highlights the breadth of areas impacted by HIPAA compliance. Ensuring the privacy and security of patient information is an active, comprehensive process. No area of operation in a healthcare organization can really be left out of the considerations. The effort can be time-consuming, but worth it to avoid becoming a headline and potentially paying a settlement to OCR.

This article was originally published on The Pulse blog and is republished here with permission.