As humans, we dispose of garbage on a regular basis with little thought. Many organizations take precautions when disposing of private information by shredding or incinerating written and typed documents. But information in less traditional formats can slip through the cracks of regulation and cost an organization millions of dollars in fines.
This was the case a few years ago when Rite Aid Corp (RAC) threw out pill bottle labels. Television media exposed RAC with videotaped incidents of the pharmacies disposing of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers with public access. This exposed the individuals’ information to the risk of identity theft and other crimes, as well as violated the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Privacy Rule.
“It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy, and safeguard health information,” said Georgina Verdugo, director of the Office for Civil Rights (OCR). “OCR is committed to strong enforcement of HIPAA.”
RAC and its 40 affiliated entities agreed to pay $1 million for violations of HIPAA. Surprisingly, this isn’t the first time an organization has been reprimanded for such an act. The Federal Trade Commission (FTC) and the Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules, settled a similar case involving another national drug store chain the previous year.
The HIPAA Privacy Rule requires health plans, health care clearinghouses and most health care providers to protect the privacy of patient information at all times. In order to prevent violating HIPAA and losing the trust of clients, organizations should make the disposal of private information a priority.
- Implement and distribute adequate policies and procedures to appropriately safeguard patient information during disposal of protected health information.
- Train workforce members on these new requirements
- Conduct internal monitoring
- Engage a qualified, independent third party assessor to conduct compliance reviews and render reports to the Department of Health and Human Services (HHS).
Trust is one of the most valuable assets of an organization. So when disposing of a patient’s health information, ensure that it is in accordance with HIPAA. Otherwise, you might throw your patient’s trust out with the garbage.