Recent HIPAA Settlement Involves Disposal of Unsecured Paper Records Containing Protected Health Information

On April 27, 2015, The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced an agreement with Cornell Prescription Pharmacy (Cornell) to settle potential violations of the HIPAA Privacy Rule. In its Resolution Agreement, Cornell has agreed to pay $125,000, implement comprehensive policies and procedures in compliance with the HIPAA Privacy Rule, and provide staff training.

Cornell, a small, single-location pharmacy in Denver, Colorado, was the subject of an OCR compliance review and investigation after a local news outlet notified OCR of the pharmacy’s disposal of unsecured documents containing protected health information (PHI). Specifically, the information provided by the news outlet alleged that un-shredded documents containing PHI of 1,610 patients were disposed of in an unlocked, open container on Cornell’s premises. The press release indicates that the OCR investigation revealed Cornell’s failure to implement any written policies or procedures or provide workforce training on such policies, as required by the HIPAA Privacy Rule.

This OCR settlement should serve as a reminder to all HIPAA covered entities and business associates of the importance of educating employees about proper disposal of PHI and integrating an effective HIPAA compliance program that meets the requirements of the HIPAA Privacy Rule. Regardless of the size of the entity, organizations are expected to know and understand their obligations and responsibilities under HIPAA, incorporate meaningful policies and procedures, and educate staff members on the appropriate ways to handle and dispose of documents containing PHI.

Speak Your Mind