The state of Texas has recently sued Alliance Health Management & Consulting Inc., and is seeking civil penalties for improper disposal of PHI after the home health care management company failed to adhere to HIPAA and state regulations covering the disposal of medical records and personal information of patients.
Boxes of files were discarded in recycling dumpsters close to Stevenson Middle School last year without first being rendered unreadable or indecipherable. This incident breached both state and federal regulations. The files were discovered by a member of the public who reported the matter to the Northside Independent School District police department. The files were promptly collected and secured, and patients are not understood to have been adversely affected by the privacy breach. However, since state regulations were violated, legal action was taken by the Texas attorney general’s office against the Alliance Health Management & Consulting Inc., as well as the company’s former director, Maria Olveda.
At this stage it is unclear exactly how many patients were affected by the breach. The data contained in the files included names, Social Security numbers, dates of birth, and addresses, along with confidential information such as drug abuse information, medical histories, and confidential information disclosed to counsellors.
The files were dumped 5 years after Alliance Health Management & Consulting Inc., permanently closed its doors for business in July 2009. The files were found on July 14, 2014.
According to the lawsuit, “The defendants failed to implement and maintain reasonable procedures to protect and safeguard from unlawful use or disclosure sensitive personal information.” Civil penalties for improper disposal of PHI have been pursued, and the state is expecting to recover up to $20,000 for each violation. Under state laws the company was required to ensure that the confidentiality of the company’s clients was not violated.
State attorney generals may take action against individuals for privacy breaches under state laws, and also under HIPAA/HITECH legislation. State attorneys general are permitted to assist the OCR with the enforcement of HIPAA regulations, and can issue HIPAA fines for violations that led to the exposure of PHI of state residents. The OCR can similarly seek civil penalties for improper disposal of PHI, and has done on previous occasions.
Civil Penalties for Improper Disposal of PHI Issued by the OCR
Civil penalties for improper disposal of PHI are to be expected if medical records are not disposed of correctly. Blatant disregard of HIPAA Rules could see the maximum civil penalties for improper disposal of PHI applied. The maximum fine permissible under HIPAA/HITECH legislation is $1.5 million per violation category, per year. This means that if evidence is uncovered to suggest PHI has been disposed of incorrectly on multiple occasions, the fines could be far in excess of $1.5 million.
The OCR has previously fined Cornell Pharmacy $125,000 for dumping documents containing the PHI 1,610 individuals, and the Rite Aid Corporation reached a settlement with the OCR for $1 million for the improper disposal of prescription bottles and labels in regular trash.
Attorney general fines and OCR penalties are issued in cases where HIPAA Rules have been ignored. To avoid civil penalties for improper disposal of PHI, covered entities must ensure that PHI, in all forms, is disposed of securely when it is no longer required.