Policyholder Services

Responding to a HIPAA Privacy Violation Alleging Improper Disposal of Records

Natalie Kelly, NAS Insurance Services/Lloyds Associate VP Claims


Violation of Health Care Privacy and Security Rules.


Case settled without fines or penalties. Legal and patient notification costs totaled $85,000.

Case Summary

The employees of a physician disposed of medical records inappropriately by placing them into office recycling bins.  Although the contents of the recycling bins were supposed to be shredded, these instructions were not communicated to the building’s janitorial services.  As a result, the files were transferred to the building’s recycling area without being shredded.  Although only approximately 500 patients were involved in the breach, the physician could not be sure which files had been placed in the recycling bins and which had not. Therefore, all of the physician’s 7,500 current and past patients had to be notified of the breach. The physician was also required to notify the Department of Health and Human Services (“DHHS”). The DHHS responded by opening an investigation, and requiring the physician to implement a program to comply with Privacy and Security Rules. Once their investigation had been completed, the DHHS dismissed the matter without assessing fines or penalties against the physician.


The insured’s responsibility to safeguard patient’s protected health information was not met. Failure to adequately supervise the destruction of the records created a scenario that could have resulted in a significant fine under HIPAA Privacy or other regulations. Although a fine or penalty was not imposed in this case, there were significant legal and patient notification costs related to compliance with privacy laws and unwanted distractions that staff were forced to deal with, taking time away from their normal duties.

Risk management principles

Protecting patients’ health information should be given a high priority to avoid violations of HIPAA, HITECH, and other health information regulations. Avoid “outsourcing or delegating” the destruction of files or records to others unless you or your staff members are present to supervise the shredding of files or the destruction of data storage devices.

OMIC’s professional liability policy includes coverage for this type of event. Under the Broad Regulatory Protection and eMD Cyber Liability benefits, there is a $50,000 limit to pay for legal and patient notification costs related to alleged HIPAA Privacy and other regulatory and data breach violations. See this related BRP/eMD Coverage Q&A for more information.

This is OMIC web exclusive content.

Please refer to OMIC's Copyright and Disclaimer regarding the contents on this website

Leave a comment

Six reasons OMIC is the best choice for ophthalmologists in America.

#6. Supporting your specialty.

OMIC was founded by members of the American Academy of Ophthalmology nearly a quarter century ago and is the only carrier sponsored and endorsed by AAO. OMIC is also endorsed by 40 other ophthalmic societies. The OMIC partnerships with state and subspecialty societies qualifies their members for an exclusive 8% premium credit. Contact your state society for details.