On August 23, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced that Massachusetts-based New England Dermatology, P.C., d/b/a New England Dermatology and Laser Center (NEDLC), agreed to resolve alleged HIPAA violations for a fine of $300,640.

OCR commenced an investigation of NEDLC after the provider filed a breach report stating that empty specimen containers with protected health information (PHI) on the labels were placed in a garbage bin in NEDLC’s parking lot. The labels included patient names and dates of birth, among other things. OCR’s investigation found potential violations of the HIPAA Privacy Rule, including impermissible use and disclosure of PHI as well as a failure to maintain appropriate safeguards to protect the privacy of PHI.

As part of the settlement, NEDLC must also adopt a robust corrective action plan and will be monitored by OCR for two years. Among other things, NEDLC will be required to designate a privacy official who will be responsible for the development and implementation of HIPAA policies and procedures, and to assess, update, and revise its policies and procedures at least annually or as needed.

The settlement reinforces that HIPAA compliance includes not only protection of electronic patient records, but proper handling of physical items as well.

Sign up to receive Rivkin Rounds at www.RivkinRounds.com.