Data Breach Nightmare Scenario: News Affiliate Reports Improper Disposal of Patient Information
A tip from a local Denver news outlet lead to a compliance review, investigation and ultimately a resolution agreement between the Department of Health and Human Services' Office for Civil Rights ("OCR") and Denver-based Cornell Prescription Pharmacy ("CPP"). On January 11, 2012, 9 News, the Denver NBC news affiliate, reported to OCR that certain patient information was being disposed of in a dumpster that was accessible to the public. The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") is the primary Federal regulation governing the security and privacy of certain personally identifiable health information or "PHI." Under HIPAA's Privacy Rule, pharmacies such as CPP are required to implement appropriate administrative, technical and physical safeguards to protect the privacy of PHI, in any form. See 45 CFR 164.530(c). The disposal of paper records containing PHI in a publicly-accessible dumpster is, of course, unreasonable by any measure.
Just two days after receiving the report, OCR initiated a compliance review and investigation of CPP. OCR's investigation found that CPP had failed to:
- reasonably safeguard their PHI, as required by the Privacy Rule;
- implement written policies and procedures to comply with the Privacy Rule; and
- document and train its workforce on its Privacy Rule policies and procedures.
Under the terms of the resolution agreement (a copy of which can be found here), CPP is required to pay HHS $125,000 and agree to a corrective action plan ("CAP"). CPP will not be required to admit wrongdoing under the terms of the resolution agreement. Under the CAP, CPP is required to develop written policies and procedures to comply with HIPAA, provide those policies and procedures to HHS by May 22, 2015, and implement said procedures within 30 days of receiving HHS' final approval. CPP is also required to produce an implementation report as well as annual reports for the next two years.
"Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons," said OCR Director Jocelyn Samuels. "Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper."
While not as easily transferable as its digital counterpart, the information in paper-based medical records remains extremely lucrative in the black market. It has been estimated that your medical data can fetch as much as 10 times the value of your credit card number. Understandably, health care providers and others covered by HIPAA will face increasing scrutiny given this lucrative black market as well as the recent high profile breaches at various health insurance companies across the United States. Notwithstanding a recent delay, OCR is planning to conduct a new round of audits to prevent the situations discussed above. "We are committed to implementing a robust audit program," Samuels said. " I can't promise you the specific date, but it's happening." As OCR readies its Phase II audit program, regulated entities can be assured that NBC news and others, will be watching for evidence of non-compliance.