The Department of Health and Human Services, Office for Civil Rights (OCR) has fined a Denver-based pharmacy for allegedly violating the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
According to a Resolution Agreement published on the official HHS website, Cornell Prescription Pharmacy improperly disposed of customer records containing Protected Health Information (PHI) by placing them in a publicly accessible dumpster. Furthermore, the Resolution Agreement states that the pharmacy did not implement the necessary written policies and procedures that are mandated by HIPAA, nor did it train its employees on HIPAA Rules regarding the use, handling, storage and disposal of PHI.
OCR officials were notified of the violation by a local news agency, which recently covered a story on the Denver-based pharmacy. Reports indicate that a Denver news station alleged Cornell Prescription Pharmacy of disposing of unshredded medical documents that contained PHI of some 1,610 customers in an unlocked, publicly accessible dumpster on the premises. When OCR officials conducted their investigation, they discovered that Cornell Prescription Pharmacy failed to implement appropriate and reasonable safeguards to protect PHI from unauthorized use or disclosure; failed to implement written policies and procedures for remaining HIPAA-compliant; and they failed to train their workforce on HIPAA Rules, policies and procedures.
It's important to note that Cornell Prescription Pharmacy has not admitted to any wrongdoing. The pharmacy and the OCR have instead agreed upon a settlement of $125,000. In addition to the hefty fine, however, Cornell Prescription Pharmacy must also develop an appropriate set of HIPAA policies and procedures for its workers to follow.
“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons," OCR Director Jocelyn Samuels said in a statement. "Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper."
This story attests to the importance of abiding by HIPAA when handling, and disposing of, Protected Health Information. Whether your business is a pharmacy, doctor's office, private practice, chiropractor, or any other covered entity, it's your responsibility to implement the necessary safeguards to keep your patients' information safe.