A recent healthcare privacy enforcement action should serve as a timely reminder to the survey, opinion and marketing research profession that getting (and keeping) compliant with the Health Insurance Portability and Accountability Act (HIPAA) isn't always that hard.
HHS had investigated Cornell Prescription Pharmacy in Denver, Colorado, after news reports that the company had improperly disposed of protected health information (PHI) of more than 1600 patients "in an unlocked, open container." Given that dumpster diving is such an old-school, but effective, method for miscreants to steal vital data, “0ut of sight, out of mind” is not a tenable or survivable data disposal policy.
Proper data disposal policies are also required under HIPAA. According to HHS, "the documents were not shredded and contained identifiable information regarding specific patients," likely because the company failed "to implement any written policies and procedures as required by the HIPAA Privacy Rule." The company apparently also didn't train its employees (as required by HIPAA) in the right policies and procedures.
Improper data disposal and policies in this case cost Cornell $125,000. Next time, without some simple measures, your company could be the one in the crosshairs of regulatory enforcement agencies or trial lawyers -- and the cost could be a lot greater.
See MRA's members-only white paper on HIPAA compliance for researchers and our best practices 1-pager on appropriate data disposal policies and procedures for researchers.
This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.