Secure Disposal of Paper PHI: An Ongoing Concern for HIPAA Covered Entities and Business Associates Secure Disposal of Paper PHI: An Ongoing Concern for HIPAA Covered Entities and Business Associates

Secure Disposal of Paper PHI: An Ongoing Concern for HIPAA Covered Entities and Business Associates

Electronic health records, telemedicine, health information exchanges, and personal fitness-tracking devices...electronic data has a vast and growing role in health care.  Concern for the privacy, security, and integrity of electronic health data is in the news and front-of-mind for HIPAA covered entities, regulators, and patients alike.  But what about paper?   A recent Resolution Agreement and Corrective Action Plan between a stand-alone pharmacy and the United States Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) highlights the ongoing importance of secure disposal of paper medical records.  HIPAA covered entities and business associates of every size should be aware that disposal of hard-copy media, including paper and film, remains a legitimate privacy and security concern, and merits ongoing vigilance even as businesses hone their e-PHI practices.
 
What Happened? 
 
In 2012, a news agency reported to HHS that a stand-alone compounding pharmacy had disposed of hard-copy documents in a dumpster accessible by the public.  The documents were not shredded and contained identifiable information about specific patients.  OCR opened an investigation into alleged violations of the Privacy Rule, including failure to implement appropriate policies and procedures, and failure to train workforce members.    
 
What Were OCR’s Options? 
 
The first step in an OCR investigation is intake and review.  OCR may only take action against complaints that meet designated criteria, including allegations of activity that, if true, would violate HIPAA.  If the complaint does not meet one or more of these criteria, it is “resolved” at intake and review, and OCR takes no further action on it.
 
If the complaint meets all criteria, OCR accepts the complaint for investigation.  OCR may, of course, determine that no violation occurred.  However, if the investigation reveals non-compliance, OCR may attempt informal resolution in the form of voluntary compliance/corrective action by the covered entity or business associate (generally, for less serious non-compliance).  OCR may also enter into a written resolution agreement and corrective action plan (RA/CAP) with the covered entity or business associate. 
 
If the complaint cannot be resolved informally or through an RA/CAP, OCR may issue a formal finding of violation and impose civil monetary penalties (CMPs) against the covered entity or business associate. 
 
What was the Result?
 
OCR and the pharmacy entered into an RA/CAP.  This was not an admission of liability by the pharmacy.  The pharmacy agreed to pay HHS $125,000.00 (the “resolution amount”), and to implement a CAP.  The CAP requires the pharmacy to develop, maintain, and revise as necessary policies and procedures governing PHI (to be pre-approved by OCR), including policies and procedures addressing “[a]dministrative and physical safeguards for the disposal of all non-electronic PHI…including, but not limited to, providing that paper PHI intended for disposal shall be shredded, burned, pulped, or pulverized so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.”  The CAP also requires the pharmacy to train employees, document the training, and obtain certification from employees that they have read, understand, and will abide by the policies and procedures.  Employees who do not provide the needed certification cannot be involved in the use and disclosure of PHI, including its disposal.  The pharmacy must regularly review, revise, and update policies and procedures, implement an internal reporting and investigation process for alleged violations, and notify HHS of violations the pharmacy discovers.
 
Commenting on the RA/CAP, OCR Director Jocelyn Samuels emphasized: 
 
Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons...Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.
 
HHS Guidance On the Secure Disposal of Paper Records
 
The Privacy Rule requires a covered entity to implement “appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”[1]  This general obligation is the same for hard-copy and electronic PHI, and encompasses the disposal of PHI.  While the Privacy Rule does not require a particular method of disposal, HHS has provided guidance.  In accordance with this guidance and to comply with the Privacy Rule, covered entities should:
 
  • Review their individual circumstances (including potential privacy risks and the form, type, and amount of PHI involved) to determine how to reasonably safeguard PHI through disposal;
Examples:
  • Shred, burn, pulp, or pulverize paper records so that PHI is rendered unreadable, indecipherable, and otherwise incapable of reconstruction.
  • Maintain PHI for disposal in a secure area, using a disposal vendor as a business associate to collect and destroy the PHI.
  • Recognize that certain types of PHI—such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, and other sensitive information—warrant particular care to reduce the risk of identity theft, employment or other discrimination, or reputational injury;
  • Consider, as appropriate, what other prudent health care and health information professionals have done to safeguard PHI through disposal;
  • Use the results of the internal review to create, modify, and/or implement policies and procedures addressing disposal;
  • Train all workforce members involved in disposing of PHI (including volunteers, off-site workers, and those who supervise others involved in disposal) on proper disposal techniques;
  • If winding up a business, give patients the opportunity to collect their records before disposal (this may be required by state law); and
  • If using a disposal vendor as a business associate, include terms in the business associate agreement requiring that the vendor appropriately safeguard PHI through disposal.
Covered entities and business associates should also be attuned to applicable State information privacy laws, and other applicable Federal laws such as 45 CFR Part 2 (Confidentiality of Alcohol and Drug Abuse Patient Records), which may provide additional protection for PHI in general, or for certain categories of PHI such as mental health records, communicable disease records, and substance abuse treatment records.
 
Paper Records and the HIPAA Breach Notification Rule
 
Covered entities and business associates should be aware that paper records are particularly vulnerable to “breach” under the Breach Notification Rule because they cannot be encrypted.
 
The Breach Notification Rule requires that covered entities notify individuals and others when the privacy or security of “unsecured PHI” is compromised:  in other words, when a breach occurs.  “Unsecured PHI” includes any PHI—electronic or otherwise—“that is not rendered unusable, unreadable, or indecipherable to unauthorized persons…”  OCR has adopted standards for the encryption of electronic PHI so that it can exist “at rest” and “in motion” in a sufficiently secure fashion so as not to be “unsecured PHI.”  No such standards exist for hard-copy media:  paper and film are, by definition, “unsecured PHI” unless they have been “shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed.”[2]  If hard-copy PHI exists in readable or reconstructable form, it is “unsecured PHI.” 
 
If readable or reconstructable hard-copy PHI is acquired, accessed, used, or disclosed in a manner not permitted by HIPAA, a breach is presumed[3] unless the covered entity or business associate “demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment…”[4]
 
Other OCR Investigations Involving Improper Disposal of Paper Records
 
OCR has investigated and resolved over 23,476 cases by requiring changes in privacy practices and corrective action by covered entities and business associates, or by providing technical assistance to these entities.  “Lack of safeguards of protected health information” is second on the list of most frequently investigated compliance issues. 
 
The HITECH Act requires that HHS post a listing of breaches of unsecured PHI affecting 500 or more individuals.  Filtering these postings by Location of Breach (Paper/Films) and Type of Breach (Improper Disposal) yields more than thirty (30) breaches, affecting 500 or more individuals, which involve improper disposal of non-electronic PHI.  While the government portal does not provide a detailed description of every breach or describe how each was resolved, examples are instructive:
(1) In 2009, HHS reached a Resolution Agreement with a national pharmacy chain for alleged Privacy Rule violations.  OCR opened its investigation in the wake of media reports alleging that the covered entity disposed of PHI in unsecured dumpsters accessible to the public.  The Federal Trade Commission (FTC) also opened an investigation, which it pursued collaboratively with OCR. 

Among other issues, the OCR investigation revealed that the covered entity did not implement adequate policies and procedures to safeguard PHI during the disposal process, did not adequately train employees on proper disposal of PHI, and did not maintain and implement sanctions policies for workforce members who failed to comply with disposal policies and procedures.  The RA/CAP required the covered entity to pay a $2.25 million resolution amount to HHS, and to ensure appropriate disposal of PHI by:
  • Revising and distributing policies and procedures for disposal of PHI;
  • Sanctioning workers who do not follow them; 
  • Training workforce members on the new requirements;
  • Conducting internal monitoring;
  • Engaging a qualified, independent third party to assess and report on the covered entity's compliance with the CAP;
  • Implement internal reporting procedures requiring workers to report all violations of the new policies and procedures; and
  • Submitting compliance reports to HHS for a three-year period
The pharmacy chain and its parent company also signed a consent order with the FTC.
(2) In 2010, HHS reached a Resolution Agreement with a different pharmacy chain to resolve potential Privacy Rule violations.  In a coordinated action, the chain also signed a consent order with the FTC to settle potential violations of the FTC Act.

OCR opened its investigation after television media videotaped pharmacies disposing of prescriptions and labeled pill bottles in trash containers accessible by the public.  Among other issues, the reviews by OCR and the FTC indicated that the covered entity did not implement adequate policies and procedures to appropriately safeguard PHI during the disposal process, did not adequately train employees on how to properly dispose of PHI, and did not maintain a sanctions policy for workforce members who failed to properly dispose of PHI. The RA/CAP required the covered entity to pay a $1 million resolution amount to HHS, and to ensure appropriate disposal of PHI by: 
  • Revising and distributing its policies and procedures regarding disposal of PHI, and sanctioning workers who do not follow them;
  • Training workforce members on these new requirements;
  • Conducting internal monitoring; and
  • Engaging a qualified, independent third party to conduct compliance reviews and report to HHS. 
The covered entity also agreed to external independent assessments of its stores' compliance with the FTC consent order.  The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years. More limited information is available about the following breaches:
  • A health care provider improperly disposed of PHI in a dumpster outside a doctor's office, including demographic, financial, clinical, and other medical information.  After the breach, the covered entity notified all affected individuals, posted a notice about the incident on its website, attempted to retrieve and track all of the medical records that were inappropriately disposed of, offered all affected individuals identity theft protection, obtained a formal apology from and assumed direct office operations management of the physician involved, and re-educated its workforce regarding appropriate medical record protection and disposal requirements.
  • A health care provider disposed of PHI in a dumpster, and the wind blew the records over an area of several blocks.  The PHI involved in the breach included addresses, diagnoses, treatment details, test results, and some Social Security numbers.  The covered entity responded rapidly and attempted to limit harm to patients.  The covered entity issued an apology, provided credit monitoring services, and agreed to embark on an employee training program. 
  • A health care provider disposed of documents in a commercial dumpster.  The records included credit card numbers, Social Security numbers, and dates of birth.  The covered entity responded rapidly and changed several procedures, including relocating recycling bins to central locations.  The covered entity will train staff and offer 12 months of free credit monitoring.
  • A health care provider’s janitorial service mixed paper recycling containing PHI with the regular trash, instead of moving it to a locked shredding bin.  As a result, paper PHI was collected and handled by a waste management company in the usual manner and was not securely shredded.  The compromised PHI may have included full names, Social Security numbers, insurance plan information, and medical information.  The health care provider issued an apology, advised individuals on monitoring for identity theft, and instructed office and janitorial services on proper procedures and safeguards to prevent reoccurrence. 
So, What About Paper?
 
HIPAA covered entities should carefully attend to the disposal of PHI in all forms, whether hard-copy or electronic.  While cybersecurity is in the national spotlight across industries, paper remains a true Achilles heel under HIPAA (as well as under other federal laws and state laws not addressed here).  OCR investigations and enforcement actions involving the disposal of paper records highlight the particular vulnerabilities of hard-copy media:  covered entities, business associates, and workforce members may be less attuned to or focused on appropriate disposal procedures (because it looks like ordinary trash, it may inadvertently be treated like ordinary trash), and there is no equivalent to encryption for paper records “at rest” or “in motion.”
 
The general takeaway from the most recent HIPAA enforcement action is simple: be as vigilant about paper as you are about electronic PHI.  Implementation of this general rule should be individually tailored to the specific type and amount of PHI you create, maintain, use, and disclose. 

To learn more, contact Kim Metzger or any member of Ice Miller's Data Security and Privacy practice group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.


[1] 45 CFR 163.530(c)(1).
[2] OCR specifically excludes redaction as a means of data destruction.
[3] Exceptions exist for certain unintentional acquisition, access, or use by workforce members within the covered entity or business associate; for inadvertent disclosures to persons within the same covered entity, business associate, or organized health care arrangement; and disclosures when there is a good faith belief that the recipient would not reasonably have been able to retain the information.
[4] The risk assessment must include at least the following:  (1) the nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the PHI or to whom the disclosure was made; (3) whether the PHI was actually acquired or viewed; and (4) the extent to which the risk to the PHI has been mitigated.

View Full Site View Mobile Optimized