In late August of 2022, the Department of Health and Human Services’ Office for Civil Rights entered into a settlement agreement with NEDLC for $300,640. Under the terms of the agreement, NEDLC is subject to a two-year corrective action plan (CAP).
What happened at NEDLC… stayed at NEDLC, so to speak, which is what got it in hot water with OCR. NEDLC, for over a decade, regularly discarded specimen containers with PHI-containing labels as regular waste – in a dumpster located in NEDLC’s parking lot. In March of 2021, a third-party security guard found one of the containers. An OCR investigation quickly followed. Further details of NEDLC’s HIPAA violations and the resulting settlement are provided below.
OCR Settles Dermatology HIPAA Violations with NEDLC – Well, That Escalated Quickly
In May of 2021, NEDLC, as required by law, filed a breach notification report with OCR. In its report, NEDLC indicated that it had placed empty specimen containers labeled with individual patient PHI into its parking lot dumpster.
NEDLC did not do this just once. NEDLC admitted to OCR that it regularly dumpster-discarded specimen containers, each with an attached label that contained PHI.
The PHI on the discarded containers’ labels included patient names, dates of birth, dates of sample collection, and the name of the provider who took the specimen. NEDLC admitted that this practice was in effect from February 4, 2011, until March 31, 2021 (the date the security guard made the discovery).