.st0{fill:#FFFFFF;}

Trashy Privacy Violations – Ep 372 

 September 9, 2022

By  Donna Grindle

Trashy Privacy Violation

David admits that as a kid he would dumpster dive for “treasures” people threw away. We’ve heard more than once of clients who have gone dumpster diving to retrieve documents containing PHI that were mistakenly thrown away in the regular trash. But, a recent OCR announcement highlights one dermatology group that had quite the trashy privacy violation.

A 5 star review is all we ask from our listeners.
1x
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Trashy Privacy Violations – Ep 372

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Mar 12, 13, 14 and 15, 2023

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!


HIPAA Say What!?!

[05:04] Breach notifications are required when improper PHI is disclosed. Back to our discussion on Meta Pixels a few weeks ago (Amazon, Facebook, and PHI oh my! – Ep 369)… David has seen some of the local health system notifications because they used it in MyChart.

Here is an article from Novant Health re: their use (or now, non-use) of the Meta pixel on their website and patient portal: Your Medical Privacy is Our Top Priority.

So, if you’ve missed it when we’ve said this a thousand times before, your vendors can mess you up and create privacy and security issues for you. Understand what they are doing for you and ask questions. Don’t assume.

Trashy Privacy Violations

[09:51] A new resolution agreement with New England Dermatology P.C., d/b/a New England Dermatology and Laser Center (“NDELC”) was announced on Aug 23. A couple of important points we will note here in our discussion.

  1. The settlement amount of $300,640 makes me think it was due to this being a “low hanging fruit” type violation.
  2. Signed by Acting OCR Director Melanie Fontes Rainer? Wasn’t it Lisa Pino just the other day? Yes.

Trashy Resolution Agreement Announced

Let’s review the case situation first and then get into more detail on the two big points. The standard press release statement reads:

Improper disposal of protected health information creates an unnecessary risk to patient privacy. HIPAA regulated entities should take every step to ensure that safeguards are in place when disposing of patient information to keep it from being accessible by the public. Acting OCR Director Melanie Fontes Rainer

What happened?

[19:33] On May 11, 2021, NEDLC filed a breach notification report saying that “empty specimen containers that were labeled with protected health information (PHI) were placed in a dumpster located in NEDLC’s parking lot”.

All of NEDLC’s specimen containers bear a label with the corresponding patient’s PHI. The PHI on the specimen label included patient names, dates of birth, dates of sample collection, and name of the provider who took the specimen.

On March 31, 2021, one container with PHI on it was found in the parking lot by a “third-party security guard”. That would be our date of discovery? Date that someone asked questions?

When OCR started asking questions about the problem they learned this was an ongoing practice!

Apparently they confirmed that they “regularly discarded specimen containers with an attached label that contained PHI as regular waste, bagged and placed in an exterior dumpster accessible via the parking lot, without alteration to the PHI containing label.”

They had been doing this for years! From February 4, 2011 until March 31, 2021.

HHS’ investigation showed the group had potential violations of HIPAA:

A. NEDLC did not maintain appropriate safeguards to protect the privacy of PHI

B. NEDLC impermissibly disclosed PHI to unauthorized individuals in violation of the Privacy Rule

I have heard this kind of violation called low hanging fruit for years. I mean, come on man, this stuff is not complicated to realize if you simply look and ask questions. This one is nothing more than not even asking any questions about PHI protections. I wonder if they had policy and procedure templates that said they would securely dispose of all PHI?

The amount of time on something that should not have been hard to notice or correct is why they have the pleasure of writing a check for over $300k. If you look at numbers for willful neglect that they could have used the official calculation could have easily been in the millions of dollars. Plus, who knows what the cybersecurity side of the house looks like.

[29:45] The two year CAP just focuses on policies and procedures for the Privacy Rule. The minimum content section says:

The Policies and Procedures shall include, but not be limited to:

1. NEDLC’s policy for the disposal of all PHI created, received, or maintained by NEDLC.

2. Protocols for training all NEDLC’s workforce members that are involved in handling and disposing of PHI as necessary and appropriate to ensure compliance with the policies and procedures provided for in section V(A) above.

3. Review and update as necessary NEDLC’s policy for the physical safeguarding of PHI.

4. Protocols for training all NEDLC’s workforce members that are involved with handling PHI to ensure compliance with the policies and procedures provided for in section V(A) above.

5. Application of appropriate sanctions against NEDLC workforce members who fail to comply with policies and procedures provided for in subparagraph (1) above.

My guess is they are on a crash course in HIPAA compliance across the board right now. This is one of those programs that may go from non-existent to fully functioning in less than 2 years. At least, that is what the CAP expects of them. I sincerely hope they are only worried about the bare minimum still.

New director shows up at OCR.

[13:35] (A little backtracking… we discussed this part earlier in the podcast recording.) HHS names new acting Civil Rights director

HHS has not issued a big announcement that Lisa Pino was leaving nor that Fontes Rainer was appointed. If you search for it, you will see a couple of articles about Fontes Rainer appointment as Acting Director around the end of July, but not in a lot of places and nothing about Lisa Pino. I’m not even sure how the places that reported it even got the new acting director announcement.

Pino was in the last announcement from OCR July 15, but now it looks like she has gone completely dark. While there may be those that speculate about problems and troubles at HHS, I think it is best we assume a deeply personal issue has caused the switch. Whatever caused Lisa Pino to go dark, we are supposed to promote privacy here and that is what we will do. Best wishes for Lisa Pino’s current and future endeavors.

But, let’s talk about what this means to enforcement. That impacts us greatly. OCR has been left in the wind now for one reason or another since the beginning of 2020. Adapting rules, managing the surge impacts, and understanding how COVID has changed the requirements for everything OCR is supposed to be watching over has been a daunting task to say the least. Add to that the delays in approving new leadership in most of the federal government positions means there was not an official Director in charge from early 2021 until Sept 2021. We discussed how she was just getting things under control when the 11 cases were announced in mid July.

I am certain the OCR staff is overwhelmed more than usual and this could impact their ability to move some of these important things through if there isn’t an official director appointed soon.

Hopefully, Acting Director Fontes Rainer will be able to move things forward while a new director is appointed. She moved from counsel to the HHS Secretary to Acting Director. Her background doesn’t appear to be along the lines of civil rights sort of cases.

HIPAA applies even when you are taking out the trash. It’s not about protecting and securing only digital PHI and data on your computers. Make sure your staff understands that and you have policies and procedures (and audits) in place to properly protect PHI in all formats.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: