HHS OCR settles case over improper disposal of health data


On August 23, 2022, the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) announced that it had settled a case involving the destruction of protected health information (“PHI”).

OCR alleged that, on March 31, 2021, a specimen containing PHI was found by a third-party security guard in the parking lot of the New England Dermatology and Laser Center (“NEDLC”). The PHI included the patient’s name, the patient’s date of birth, the date the sample was taken and the name of the supplier who took the sample, in violation of the Data Portability and Accountability Act 1996. health insurance (“HIPAA”).

As part of the settlement, NEDLC agreed to pay HHS $300,640. According to the NEDLC Resolution Agreement and Corrective Action Plan, there were two potential violations by the NEDLC. First, the NEDLC allegedly failed to maintain appropriate safeguards to protect the confidentiality of PHI,” as required by 45 CFR § 164.530(c). Second, the NEDLC would have permitted the impermissible disclosure of PHI, in violation of 45 CFR § 164.502(a). The Corrective Action Plan requires NEDLC to appropriately develop, maintain, and revise written policies and procedures in accordance with HIPAA.

Several highlights of the settlement include:

  1. Changes to Policies and Procedures. NEDLC shall develop, maintain, and revise, as necessary, its written HIPAA policies and procedures, and provide such policies and procedures to HHS for review and approval. NEDLC shall also evaluate, update, and revise, as necessary, these policies and procedures at least annually, or as needed, and seek HHS approval for revised policies and procedures.

  2. Designation of Privacy Officer. NEDLC shall designate a privacy officer responsible for the development and implementation of NEDLC’s HIPAA policies and procedures, as well as a contact person or office to receive relevant complaints.

  3. Training requirements. NEDLC shall provide HHS with training materials for its staff members and seek HHS approval for such training materials. NEDLC must also distribute HIPAA policies and procedures to its personnel and relevant business associates, and obtain written certification of compliance from all such persons. The NEDLC must provide HIPAA training to new staff and all staff at least every 12 months. Each member of staff must certify, in electronic or written form, that he has undergone training. The NEDLC must review the training at least once a year and update the training as necessary. The NEDLC must promptly investigate, review, report to HHS, and discipline any personnel who fail to comply with its HIPAA policies and procedures.

  4. Implementation report and annual report. NEDLC is required to submit to HHS a written report summarizing the status of its implementation of the requirements set forth in the regulation, as well as annual compliance reports.

Copyright © 2022, Hunter Andrews Kurth LLP. All rights reserved.National Law Review, Volume XII, Number 264


Comments are closed.