Lessons From a Major Settlement Over PHI Disposal

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) reached a major settlement with a non-profit covered entity (CE) resolving allegations of violation of the HIPAA Privacy Rule for allegedly failing to appropriately and reasonably safeguard protected health information (PHI).

In the settlement reached by the parties, the CE agreed to pay $800,000, revise its compliance policies, and retrain its employees, after confidential medical records of thousands of patients were left unattended and exposed outside the home of a retiring physician on June 4, 2009. In reaching the settlement the CE admitted no wrong-doing.

Lessons learned: disposal of protected health information is subject to HIPAA. Providers should review their PHI disposal policies and procedures, conduct internal audits to analyze compliance with HIPAA and HITECH laws and regulations as well as entity policies and procedures. A robust training program for employees should also be established and followed.  

If you have questions about HIPAA and HITECH laws and compliance or have any other concerns about your healthcare practice or business, you may contact us here