Case Study – Improperly Dumping Patient Records

Practices build up a large amount of paper data on patients. Even in the days of electronic medical records, the amount of paper that is still around can be surprising. Paper records take up a lot of space and that is often small offices are in short supply of. This often leads practices to dispose of the old records once they have been digitized.  However, records containing patient data must be treated with the same care as other forms of patient data. When these paper charts are no longer needed, they must be disposed of properly, in a way that they cannot be viewed by another person. Improperly dumping patient records would result in many violations of HIPAA law. HIPAA has very specific guidelines on how these records must be destroyed when they are no longer needed. In this case study, we find out what happens when a practice decided to simply throw away many of its old paper records.

What happened?

In 2012, a small Denver, Colorado-based pharmacy, Cornell Prescription Pharmacy, threw away the records of 1,610 patients. The records were in an unlocked dumpster on the property of the pharmacy. A local news outlet got wind of the data and contacted the Department of Health and Human Services Office of Civil Rights (HHS OCR).

OCR began an investigation and found that the records had not been shredded or destroyed.

Cornell Prescription Pharmacy is a single location pharmacy. They provide in-store and prescription services to patients in the Denver metropolitan area, specializing in compounded medications and services for hospice care.

What was the result?

In 2015, OCR released a statement saying it had reached a settlement with the pharmacy. In their statement, OCR settled that the pharmacy had agreed to pay a $125,000 penalty and abide by a corrective action plan.

In addition to the $125,000 settlement amount, OCR required the pharmacy to develop and implement a comprehensive set of policies and procedures to comply with the Privacy Rule and develop and provide staff training, This was done to address the deficiencies that OCR found in the pharmacy’s compliance program.

“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”  OCR Director Jocelyn Samuels

Why is improperly dumping patient records a big issue?

Under HIPAA regulations, patient data must be protected by a Covered Entity or Business Associate, no matter what form it takes. Paper charts are no different than electronic records.

When paper charts are thrown away in an area where anyone could access them, this information has been breached.

All records must be destroyed when no longer needed according to HIPAA regulations. If records are not disposed of properly, then the breach can result in fines ranging from $100 to $50,000 per patient records, up to a maximum of $1,500,000.

Patient records contain a lot of sensitive information about patients that could be used for identity theft, insurance fraud, and other criminal acts.

Small entities don’t fly under the radar

In this case, the pharmacy wasn’t a national chain. It was a single location pharmacy but it still got the attention of OCR. The government wants to make sure that all entities, regardless of their size, need to understand their obligations under HIPAA law.

This shows that OCR is serious about entities of all sizes.

HHS has a helpful document on their site that details how to avoid improperly dumping patient records.