OCR Settles Case Concerning Improper Disposal of Protected Health Information November 16 2022
OCR Settles Case Concerning Improper Disposal of Protected Health Information
Investigation Leads to $300,640 HIPAA Settlement and Corrective Action Plan
Today, the Office for Civil Rights (OCR) at the Department of Health
and Human Services announced a settlement with New England Dermatology
P.C., d/b/a New England Dermatology and Laser Center (“NDELC”), over the
improper disposal of protected health information, a potential
violation of the Health Insurance Portability and Accountability Act
(HIPAA) Privacy Rule. As a result, NEDLC paid $300,640 to OCR and agreed
to implement a corrective action plan to resolve this investigation.
NEDLC is located in Massachusetts and provides dermatology services.
On May 11, 2021, NEDLC filed a breach report with OCR stating that
empty specimen containers with protected health information on the
labels were placed in a garbage bin in their parking lot. The
containers’ labels included patient names and dates of birth, dates of
sample collection, and name of the provider who took the specimen. OCR’s
investigation, conducted by OCR’s New England Regional Office, found
potential violations of the HIPAA Privacy Rule including the
impermissible use and disclosure of PHI and failure to maintain
appropriate safeguards to protect the privacy of PHI.
“Improper disposal of protected health information creates an
unnecessary risk to patient privacy,” said Acting OCR Director Melanie
Fontes Rainer. “HIPAA regulated entities should take every step to
ensure that safeguards are in place when disposing of patient
information to keep it from being accessible by the public.”
In addition to the monetary settlement, NEDLC will undertake a robust
corrective action plan that includes two years of monitoring. A copy of
the resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/nedlc-ra-cap/index.html
Who is a Business Association under HIPAA? August 2 2013
Who is a Business Association under HIPAA?
Who is a Business Association under HIPAA? When is a Person or Entity a Business Associate Under HIPAA?After languishing for more than two years, the HIPAA Omnibus Rule was finally released on January 17, 2013. The Final Rule updates the HIPAA Privacy and Security Rules to comply with the changes created to the Rules by the HITECH Act.The HITECH Act made clear that Business Associates would be directly liable for data breaches. But, based on the comments HHS received, there appeared to be some confusion about who is a business associate for the purposes of HIPAA. In addressing a comment regarding human research, HHS provided the following helpful response:A person or entity is a business associate only in cases where the person or entity is conducting a function or activity regulated by the HIPAA Rules on behalf of a covered entity, such as payment or health care operations, or providing one of the services listed in the definition of 'business associate,' and in the performance of such duties the person or entity has access to protected health information.
87 F.R. 5575 (Jan. 25, 2013) (emphasis added).
As such, whether an individual or entity is a business associate is a fact specific inquiry and all circumstances must be considered. Moreover, a person or entity can be a business associate when engaging in one activity but not a business associate when engaging in another. Consider the following example provided by HHS:[A]n external researcher is not a business associate of a covered entity by virtue of its research activities, even if the covered entity has hired the researcher to perform the research. ...
However, a researcher may be a business associate if the researcher performs a function, activity, or service for a covered entity that does fall within the definition of business associate, such as the health care operations function of creating a de-identified or limited data set for the covered entity. See paragraph (6)(v) of the definition of ‘‘health care operations.’’ Where the researcher is also the intended recipient of the de-identified data or limited data set, the researcher must return or destroy the identifiers at the time the business associate relationship to create the data set terminates and the researcher now wishes to use the deidentified data or limited data set (subject to a data use agreement) for a research purpose.
87 F.R. 5575 (Jan. 25, 2013) (emphasis added).
To determine whether an individual or entity is a business associate, the tasks the individual or entity are undertaking must be reviewed carefully.Resources:
Pages:
1
|
November 2024
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | | | 1 | 2 |
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
|
Blog Home
Newest Blog Entries
11/16/22 HIPAA
8/16/13 Fraud and Abuse
8/2/13 HIPAA
Blog Archives
November 2022 (1)
August 2013 (2)
Blog Labels
Fraud and Abuse (1)
HIPAA (2)
|
