FYI: HIPAA Privacy - Improper Disposal of Health Information Can Be Costly
By Cindy Van Bogaert
April 8, 2009
Here is your latest FYI: Employee Benefits Update from Cindy Van Bogaert, Partner and Chair of the Employee Benefits Practice Group at Boardman Law Firm LLP.
This FYI discusses recent guidance on how to properly dispose of health information under the Health Insurance Portability and Accountability Act ("HIPAA") privacy rules. Employers with group health plans are required to properly safeguard protected health information. As discussed below, improper disposal of protected health information can be costly.
Here are links to two recent developments:
- A multi-million dollar settlement involving improper disposal of health information: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresagrcap.pdf.
- New government-issued FAQs that address the HIPAA Privacy Rule requirements for disposal of protected health information: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.
The guidance is a good reminder to employers to periodically self-audit compliance with privacy policy and procedures, including re-evaluating how protected health information is disposed. Besides concerns about disposing health information in trash containers that are not secure and could be accessed by the public, other concerns raised by the government involved failure to have proper policies and procedures to safeguard protected health information and failure to adequately train employees.
The guidance notes generally that health plans should review their own circumstances to determine what steps are reasonable to safeguard protected health information through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to the individual's privacy, as well as consider such issues as the form, type, and amount of protected health information to be disposed. For instance, the disposal of certain types of protected health information such as name, social security number, driver's license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual's reputation.
What should employers do?
- Review disposal of protected health information as part of a regular HIPAA self-audit process. HIPAA record retention requirements should be part of the review process. Check with counsel regarding any other laws that might affect the method of disposal.
- Check written policies and procedures regarding disposal. Ensure that sanctions for violations of the policies and procedures are in place and enforced.
- Make sure business associate arrangements are in order with respect to disposal issues.
- Provide for training and keep records of training. (Note that I will be providing HIPAA Privacy Basics Training Seminar on May 14th. See this page for details on how to sign up. If this date and time does not work for you, contact me to see if an individualized training session might work for your organization.)
Please contact me if you would like more information or assistance.
This FYI is not legal advice. Individuals should seek advice based on their particular circumstances from their own counsel. Nothing in this FYI is intended to be used, and no information can be used, for the purpose of avoiding penalties under the Internal Revenue Code, or promoting, marketing, or recommending to another party any transaction or matter addressed in this FYI.
If you have any questions or need assistance, please contact Cindy Van Bogaert at (608) 283-7543 or Email.
Would you like to have FYI: Employee Benefits Update sent directly to your e-mail inbox? If so, please send your request, with e-mail address, to Cindy Van Bogaert at Email.
