NDELC Settles HIPAA Violation Case For $300,640

The Health Insurance Portability and Accountability Act’s primary enforcer, the Office for Civil Rights (OCR) has recently settled a violation case with the New England Dermatology and Laser Center (NDELC) resulting in a $300,640 financial penalty to resolve violations of the HIPAA Privacy Rule. 

On March 31, 2021, the NDELC disposed of empty specimen containers in an exterior dumpster in its parking lot. An empty specimen container holding PHI was then discovered by a third-party security guard. The empty specimen containers held lots of sensitive personal information including patient names, birth dates, addresses, providers that obtained the specimens, and sample collection dates. The NDELC submitted a breach report to the OCR admitting improper disposal of PHI of more than 58,000 patients. 

An immediate forensic investigation was launched by the OCR to determine how and what information had been disclosed without authorization. The OCR discovered that the NDELC’s improper disposal of the containers was common practice from February 4, 2011 until March 31, 2021. Under the administrative safeguards of the HIPAA Privacy Rule, entities subject to HIPAA are required to reasonably safeguard PHI. This entails rendering it unreadable, indecipherable, and otherwise impossible to reconstruct before destruction. The OCR determined that the NDELC had failed to do this. 

“Improper disposal of protected health information creates an unnecessary risk to patient privacy,” said Acting OCR Director Melanie Fontes Rainer. “HIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public.”

The NDELC agreed to settle the HIPAA violation case with a financial penalty of $300,640 and have agreed to implement a Corrective Action Plan to ensure further protection of the PHI they manage. The Corrective Action Plan includes a distribution and updating of policies and procedures, further training for employees, annual reports of HIPAA compliance, and 2 years of credit monitoring for affected individuals free of charge. Despite these agreements, the NDELC has made no admission of liability.

Tags

Stan Martin

Stan Martin

Stan Martin is a journalist writing about all aspects of the healthcare sector. Stan's reporting spans a wide array of topics within healthcare, from medical advancements and health policy to patient care and the economic aspects of the healthcare industry. Stan has contributed hundreds of news articles to Healthcare IT Journal, demonstrating a commitment to delivering factual, comprehensive news.

Get The FREE HIPAA Checklist

Discover everything you need to become HIPAA compliant
Scroll to Top

Get the free newsletter

Discover everything you need to become HIPAA compliant
Please enable JavaScript in your browser to complete this form.
Name

Get The FREE HIPAA Checklist

Discover everything you need to become HIPAA compliant
Please enable JavaScript in your browser to complete this form.
Name