Breaking Compliance News Blog

Patient specimens thrown out with the trash - Are you the last to know?

Posted by Margaret Scavotto, JD, CHC on 10/5/22 10:45 AM

Find me on:

HIPAA training news

Is your HIPAA training program identifying new risks?

The OCR recently announced a $300,640 HIPAA settlement with New England Dermatology, P.C., d/b/a/ New England Dermatology and Laser Center (NDELC), for “improper disposal of protected health information.”

In 2021, NDELC filed a breach report regarding its self-discovery that it discarded empty specimen containers with PHI on the labels in the parking lot garbage bin, for ten years. 

MPA blogged about the specimen bottle in July 2021. We’ve included it in our HIPAA trainings for healthcare employees ever since.

Are you staying ahead of the news and addressing new risks in your training?

Are you overlooking PHI?

PHI exists beyond the medical record. It includes patient names written on a rounding whiteboard. It includes data surrounding your medical devices. It also includes specimen bottles with labels containing patient information. And yet, I think we can all relate to the specimen bottle story – sometimes, we just forget something. Because much of the focus is on ePHI breaches, it is easy to forget that paper or physical PHI breaches don’t happen very often, but they still happen. The purpose of your HIPAA program is to prevent that from happening to you.

Create a PHI inventory.

This process fits naturally with your HIPAA Security Risk Analysis. A PHI inventory is simply a list of every kind of PHI in your organization: electronic and paper, stored, transmitted, received, and created. The PHI inventory will include obvious sources like the EHR, computers, networks, and flash drives. The PHI inventory should include less obvious sources, too, like PHI handled by a business associate – and even specimen containers

When it comes to the PHI inventory, more heads are better than one. You might think of something I missed. Get your Compliance Committee together for a brainstorming session. Every time the Committee meets, ask again: do we have any new sources of PHI? Are we sharing or using PHI in a new way?

Like the HIPAA Security Risk Analysis, the PHI inventory should be updated regularly (and whenever you add a new form of PHI!). Likewise, HIPAA training should extend beyond clinical staff so that all employees are able to identify PHI.

MPA can help you create current HIPAA training. We can also help you develop a HIPAA PHI inventory, and complete a HIPAA Security Risk Analysis.
Respond to this email for more information.

MCS Signature November 2018



Topics: Compliance Basics

    Privacy Policy           Terms of Use