The OCR recently announced a $300,640 HIPAA settlement with New England Dermatology, P.C., d/b/a/ New England Dermatology and Laser Center (NDELC), for “improper disposal of protected health information.”
In 2021, NDELC filed a breach report regarding its self-discovery that it discarded empty specimen containers with PHI on the labels in the parking lot garbage bin, for ten years.
MPA blogged about the specimen bottle in July 2021. We’ve included it in our HIPAA trainings for healthcare employees ever since.
Are you staying ahead of the news and addressing new risks in your training?
PHI exists beyond the medical record. It includes patient names written on a rounding whiteboard. It includes data surrounding your medical devices. It also includes specimen bottles with labels containing patient information. And yet, I think we can all relate to the specimen bottle story – sometimes, we just forget something. Because much of the focus is on ePHI breaches, it is easy to forget that paper or physical PHI breaches don’t happen very often, but they still happen. The purpose of your HIPAA program is to prevent that from happening to you.
This process fits naturally with your HIPAA Security Risk Analysis. A PHI inventory is simply a list of every kind of PHI in your organization: electronic and paper, stored, transmitted, received, and created. The PHI inventory will include obvious sources like the EHR, computers, networks, and flash drives. The PHI inventory should include less obvious sources, too, like PHI handled by a business associate – and even specimen containers
When it comes to the PHI inventory, more heads are better than one. You might think of something I missed. Get your Compliance Committee together for a brainstorming session. Every time the Committee meets, ask again: do we have any new sources of PHI? Are we sharing or using PHI in a new way?
Like the HIPAA Security Risk Analysis, the PHI inventory should be updated regularly (and whenever you add a new form of PHI!). Likewise, HIPAA training should extend beyond clinical staff so that all employees are able to identify PHI.