On August 23, 2022, the U.S. Department of Health & Human Services, Office for Civil Rights (“HHS”) announced that it had settled a case involving the disposal of physical protected health information (“PHI”).

OCR alleged that, on March 31, 2021, a specimen containing PHI was found by a third-party security guard in the parking lot of the New England Dermatology and Laser Center (“NEDLC”). The PHI included patient name, patient date of birth, date of sample collection, and the name of the provider who took the specimen, in violation of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

As part of the settlement, NEDLC agreed to pay HHS $300,640. According to NEDLC’s Resolution Agreement and the Corrective Action Plan, there were two potential violations by NEDLC. First, NEDLC allegedly failed to maintain appropriate safeguards to protect the privacy of PHI,” as required by 45 C.F.R. § 164.530(c). Second, NEDLC allegedly permitted the impermissible disclosure of PHI, in violation of Rule 45 C.F.R. § 164.502(a). The Corrective Action Plan requires NEDLC to develop, maintain and appropriately revise written policies and procedures in accordance with HIPAA.

Several highlights of the settlement include:

1. Changes to Policies and Procedures. NEDLC must develop, maintain and revise, as necessary, its written HIPAA policies and procedures, and provide such policies and procedures to HHS for review and approval. NEDLC also must assess, update and revise, as necessary, such policies and procedures at least annually, or as needed, and seek HHS’s approval of the revised policies and procedures.

2. Designation of Privacy Official. NEDLC must designate a privacy official who is responsible for the development and implementation of NEDLC’s HIPAA policies and procedures, and a contact person or office who is responsible for receiving relevant complaints.

3. Training Requirements. NEDLC must provide HHS with training materials for its workforce members and seek HHS’s approval of such training materials. NEDLC must also distribute the HIPAA policies and procedures to its workforce members and relevant business associates, and obtain a written compliance certification from all such individuals. NEDLC must provide HIPAA training for new workforce members, and all workforce members at least every 12 months. Each workforce member must certify, in electronic or written form, that they received training. NEDLC must review the training at least annually, and update the training where appropriate. NEDLC must promptly investigate, review, report to HHS, and sanction any workforce member that does not comply with its HIPAA policies and procedures.

4. Implementation Report and Annual Report.  NEDLC is required to submit to HHS a written report summarizing the status of its implementation of the requirements provided set forth in the settlement, and annual compliance reports.