9. Improper Disposal of PHI
When physical PHI and ePHI are no longer required and retention periods have expired, HIPAA Rules require the information to be securely and permanently destroyed. For paper records this could involve shredding or pulping and for ePHI, degaussing, securely wiping, or destroying the electronic devices on which the ePHI is stored to prevent impermissible disclosures. Financial penalties issued to covered entities for improper disposal of PHI/ePHI include:
Parkview Health – $800,000 penalty for the failure to securely dispose of paper records containing PHI.
Cornell Prescription Pharmacy – $125,000 penalty for the improper disposal of PHI.
FileFax Inc. – $100,000 penalty for a defunct business over improper disposal of medical records.
10. Denying Patients Access to Health Records/Exceeding Timescale for Providing Access
The HIPAA Privacy Rule gives patients the right to access their medical records and obtain copies on request. This allows patients to check their records for errors and share them with other entities and individuals. Denying patients copies of their health records, overcharging for copies, or failing to provide those records within 30 days is a violation of HIPAA. While this is not one of the most common HIPAA violations to attract a financial penalty, OCR has stated it will be cracking down on this aspect of noncompliance in 2019. HIPAA settlements with covered entities for denying patients access to their records or unnecessary delays in providing access include:
Cignet Health of Prince George’s County – $4,300,000 penalty for denying patients access to their medical records.