Pharmacy Pays for HIPAA Violations
Today, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its HIPAA settlement with Cornell Prescription Pharmacy (“CPP”) for disposing of patient information in a dumpster, failing to implement written HIPAA policies and procedures, and failing to provide HIPAA training to its employees.
CPP is a small, single-location Colorado pharmacy specializing in compounded medications and in serving hospice care agencies. OCR’s investigation arose out of a January 2012 television news report that documents containing protected health information (PHI) were disposed of in a publicly accessible dumpster. OCR’s investigation also found that CPP failed to implement written privacy policies and procedures and to train its employees on privacy.
Over three years have passed between the commencement of the investigation in January 2012 and today’s announcement. CPP agreed to pay $125,000 and enter into a Corrective Action Plan that specifically requires CPP to implement written HIPAA privacy policies and procedures, obtain OCR’s approval of the policies, and provide HIPAA training to its workforce members.
This settlement is a reminder of the importance of safeguarding PHI in paper or electronic form, and suggests that OCR’s patience with improper disposal of PHI and with insufficient policies and training is wearing thin. OCR Director Jocelyn Samuels warned in the press release that “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”
The Resolution Agreement, the Corrective Action Plan and OCR’s press release are available on the U.S. Department of Health and Human Services website.