Springfield, Massachusetts, is home to the Naismith Memorial Basketball Hall of Fame – a mere 90-minute ride to Boston. Springfield is also, less famously, the headquarters of New England Dermatology, P.C., d/b/a New England Dermatology and Laser Center (“NEDLC”). This HIPAA covered entity provides treatment for skin, hair, and nail diseases, including acne, eczema, psoriasis, and rashes.
In late August of 2022, the Department of Health and Human Services’ Office for Civil Rights entered into a settlement agreement with NEDLC for $300,640. Under the terms of the agreement, NEDLC is subject to a two-year corrective action plan (CAP).
What happened at NEDLC… stayed at NEDLC, so to speak, which is what got it in hot water with OCR. NEDLC, for over a decade, regularly discarded specimen containers with PHI-containing labels as regular waste – in a dumpster located in NEDLC’s parking lot. In March of 2021, a third-party security guard found one of the containers. An OCR investigation quickly followed. Further details of NEDLC’s HIPAA violations and the resulting settlement are provided below.
OCR Settles Dermatology HIPAA Violations with NEDLC – Well, That Escalated Quickly
In May of 2021, NEDLC, as required by law, filed a breach notification report with OCR. In its report, NEDLC indicated that it had placed empty specimen containers labeled with individual patient PHI into its parking lot dumpster.
NEDLC did not do this just once. NEDLC admitted to OCR that it regularly dumpster-discarded specimen containers, each with an attached label that contained PHI.
The PHI on the discarded containers’ labels included patient names, dates of birth, dates of sample collection, and the name of the provider who took the specimen. NEDLC admitted that this practice was in effect from February 4, 2011, until March 31, 2021 (the date the security guard made the discovery).
HHS Investigates – Privacy and Breach Notification Problems
HHS’ presumably intrepid investigation found the following HIPAA violations:
- NEDLC did not maintain appropriate safeguards to protect the privacy of PHI, as required by the Privacy Rule.
- NEDLC impermissibly disclosed PHI to unauthorized individuals in violation of the Privacy Rule.
Proper disposal of PHI can be done by several means – including shredding, burning, pulverizing, pulping, and several others. These methods all have safeguards that prevent someone from being able to literally take PHI right off a label. They also have the added benefit of destroying the PHI by rendering it unreadable or indecipherable, as required by law.
Dermatology HIPAA Violation: Resolutions, Revisions, and Representations
HHS and NEDLC settled the dermatology HIPAA violations for $300,640. Under the terms of the Resolution Agreement, NEDLC is subject to a two-year corrective action plan (CAP).
Under the CAP, NEDLC must:
- Develop, maintain, and revise its written policies and procedures, as necessary.
- Designate a Privacy Official to implement its policies and procedures.
- Designate an individual who is responsible for receiving Privacy Rule-related complaints.
- Obtain signed written or electronic compliance certification from workforce members stating workforce members have read, understood, and agree to abide by the policies and procedures.
HIPAA Violations: No More Trash Talking
OCR has imposed a specific content requirement for the policies and procedures, to prevent further HIPAA violations.
NEDLC must, in its policies and procedures, include:
- NEDLC’s policy (after NEDLC has written it, that is) for the disposal of all PHI created, received, or maintained by NEDLC.
- Protocols for training all NEDLC’s workforce members involved in handling and disposing of PHI as necessary and appropriate to ensure compliance with NEDLC policies and procedures.
- Review and update, as necessary, NEDLC’s policy for the physical safeguarding of PHI.
- Application of appropriate sanctions against NEDLC workforce members who fail to comply with NEDLC policies and procedures.
Capping it Off – Privacy Rule Training
OCR has also imposed a workforce member training requirement to deter future HIPAA violations. NEDLC must provide Privacy Rule training for each workforce member at least every twelve (12) months thereafter, and must provide Privacy Rule training to each new member of the workforce or relevant new business associate within thirty (30) days of their beginning of service.
