Improper disposal of protected health information can lead to enforcement action by the HHS Office for Civil Rights that includes corrective action requirements and civil money penalties, can trigger breach notification duties under the HIPAA Breach Notification Rule, and can support criminal prosecution when an individual knowingly obtains or discloses protected health information through wrongful conduct. Improper disposal includes discarding records in regular trash, leaving paper files in unsecured containers, releasing device media without data removal, or transferring equipment for reuse or resale without sanitizing electronic protected health information.
Improper disposal is a safeguards failure under the HIPAA Privacy Rule because regulated entities must apply reasonable safeguards to limit uses and disclosures of protected health information during disposal. Improper disposal is also a physical safeguards failure under the HIPAA Security Rule when policies and procedures do not address the final disposition of electronic protected health information and the hardware or electronic media that store it, and when procedures for removal of electronic protected health information before reuse are absent or not followed. Disposal controls typically require secure destruction methods for paper and media and documented device sanitization methods such as clearing, purging, or physical destruction based on the media type and risk.
The HHS Office for Civil Rights can open a compliance review, investigate a complaint, or initiate an enforcement action after an improper disposal incident, including events reported through breach notifications. Outcomes can include a resolution agreement, a corrective action plan, and multi-year monitoring with required remediation such as revised policies, workforce training, risk analysis and risk management measures, and vendor oversight where disposal services are outsourced. Civil money penalties are assessed under a tiered structure based on culpability and are subject to per-violation and annual limits that are adjusted for inflation through federal rulemaking.
When improper disposal creates an impermissible acquisition, access, use, or disclosure of unsecured protected health information, the regulated entity must apply the HIPAA Breach Notification Rule risk assessment process and complete required notifications to affected individuals and the Department of Health and Human Services, and to media outlets when the incident involves more than 500 residents of a state or jurisdiction. Criminal liability can apply to individuals who knowingly obtain or disclose protected health information in violation of federal law, with increased penalties for conduct under false pretenses or for personal gain or malicious harm, including fines and imprisonment.