Responding to a HIPAA Privacy Violation Alleging Improper Disposal of Records

Natalie Kelly, NAS Insurance Services/Lloyds Associate VP Claims

Allegation

Violation of Health Care Privacy and Security Rules.

Disposition

Case settled without fines or penalties. Legal and patient notification costs totaled $85,000.

Case Summary

The employees of a physician disposed of medical records inappropriately by placing them into office recycling bins. Although the contents of the recycling bins were supposed to be shredded, these instructions were not communicated to the building’s janitorial services. As a result, the files were transferred to the building’s recycling area without being shredded. Although only approximately 500 patients were involved in the breach, the physician could not be sure which files had been placed in the recycling bins and which had not. Therefore, all of the physician’s 7,500 current and past patients had to be notified of the breach. The physician was also required to notify the Department of Health and Human Services (“DHHS”). The DHHS responded by opening an investigation, and requiring the physician to implement a program to comply with Privacy and Security Rules. Once their investigation had been completed, the DHHS dismissed the matter without assessing fines or penalties against the physician.

Analysis

The insured’s responsibility to safeguard patient’s protected health information was not met. Failure to adequately supervise the destruction of the records created a scenario that could have resulted in a significant fine under HIPAA Privacy or other regulations. Although a fine or penalty was not imposed in this case, there were significant legal and patient notification costs related to compliance with privacy laws and unwanted distractions that staff were forced to deal with, taking time away from their normal duties.

Risk management principles

Protecting patients’ health information should be given a high priority to avoid violations of HIPAA, HITECH, and other health information regulations. Avoid “outsourcing or delegating” the destruction of files or records to others unless you or your staff members are present to supervise the shredding of files or the destruction of data storage devices.

OMIC’s professional liability policy includes coverage for this type of event. Under the Broad Regulatory Protection and eMD Cyber Liability benefits, there is a $50,000 limit to pay for legal and patient notification costs related to alleged HIPAA Privacy and other regulatory and data breach violations. See this related BRP/eMD Coverage Q&A for more information.

This is OMIC web exclusive content.

Please refer to OMIC's Copyright and Disclaimer regarding the contents on this website

Six reasons OMIC is the best choice for ophthalmologists in America.

Largest insurer in the U.S.

OMIC is the largest insurer of ophthalmologists in the United States and we've been the only physician-owned carrier to continuously offer coverage in all states since 1987. Our fully portable policy can be taken with you wherever you practice. Should you move to a new state or territory, you're covered without the cost or headache of applying for new coverage.

Ophthalmic Mutual Insurance Company (OMIC)Phone: (800) 562-6642
655 Beach Street | San Francisco, CA 94109-1336Fax: (415) 771-7087
PO Box 880610 | San Francisco, CA 94188-0610Email: omic@omic.com