Be Careful with Information Destruction: Another Medical Record Disposal HIPAA Settlement

The U.S. Department of Health and Human Services Office for Civil Rights ("OCR") recently announced a new settlement with a small pharmacy, Cornell Prescription Pharmacy ("Cornell"). OCR alleged that Cornell was disposing of documents containing protected health information in unlocked, open dumpsters. This incident came to OCR’s attention after a local news organization reported finding patient records in unsecured containers (the news report is available here). The settlement resulted in a $125,000 resolution amount and a two-year corrective action plan.

If this sounds familiar, that’s because we saw seemingly the exact same thing in the CVS Pharmacy and Rite Aid cases that settled in 2009 and 2010, respectively. This also follows an OCR settlement in 2014, termed by OCR as a “medical records dumping case” where Parkview Health System, Inc. allegedly left 71 cardboard boxes of patient records on a physician’s home driveway when a purchase of the physician’s practice fell through.

OCR is sending a clear message: Covered entities need to use care and follow HIPAA requirements and OCR guidelines when disposing of protected health information. This settlement serves as a good reminder for covered entities and business associates to not only review and update their policies and procedures related to disposal of paper records (and electronic media containing protected health information), but to also conduct periodic walk-throughs to verify that workforce members are following the organization’s policies and procedures.

The OCR guidance on disposal of protected health information is available here.