Note to pharmacies: Don't throw unshredded patient heath information into Dumpsters. Just don't.
Ned MilenkovichThe Department of Health and Human Services’ Office of Civil Rights (OCR) has announced a settlement with a Denver-area pharmacy in a case that centered on violation of HIPAA requirements through disposal of medical records in an unsecure manner.
In 2012, a local Denver news station notified the OCR that records had been found in open containers on the pharmacy’s premises. OCR opened an investigation and discovered intact medical records containing protected health information for more than 1,600 of the pharmacy’s patients. The investigation revealed that the pharmacy had failed to safeguard the protected health information of its patients, failed to implement written HIPAA policies, and failed to provide staff with training on its HIPAA policies and procedures.
National privacy standards
All three violations committed by the Denver pharmacy show failure to comply with HIPAA’s Privacy Rule, which establishes national standards to protect individuals’ medical records and other personal health information. The rule requires safeguards to protect the privacy of personal information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
Although the HIPAA Privacy Rule does not specify how covered entities must dispose of paper documents, it explains that facilities “must review their own circumstances to determine what steps are reasonable to safeguard protected health information through disposal, and develop and implement policies and procedures to carry out those steps.”
In addition to the $125,000 fine, the pharmacy is required to adopt a corrective plan that will include the development of a comprehensive HIPAA policies and procedures manual. The procedures are required to include HIPAA training for all pharmacy employees. Each employee must then certify to having received the training, and the pharmacy must review the method and content of the training on an annual basis.
While announcing the settlement, OCR took the opportunity to reiterate the importance of secure disposal of paper medical records.
“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” said OCR director Jocelyn Samuels. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic or paper form.”
According to the OCR, examples of proper methods of disposal include:
Reminder to pharmacies
This recent OCR HIPAA enforcement action should serve as a reminder to pharmacies that are determined to be healthcare providers transacting electronically and that would therefore fall under the classification of a HIPAA “covered entity.” These pharmacies, like other HIPAA covered entities, are coming under increasing scrutiny by OCR, and to the extent necessary, they are being disciplined through monetary fines as well as required to undertake remedial corrective action to protect patient identifiable health information.