HIPAA Settlement Requires Pharmacy to Pay $125,000 for Unsecured Drug Records

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

April 27 — A Denver-area pharmacy will pay $125,000 and adopt a corrective action program to resolve charges that it violated the Health Insurance Portability and Accountability Act Privacy Rule in failing to secure patient records, according to a bulletin and resolution agreement released by the Health and Human Services Department's Office for Civil Rights April 27.

Under the agreement dated April 22, Cornell Prescription Pharmacy, which provides in-store and prescription drug services, will develop and implement policies and procedures to comply with the Privacy Rule and develop and provide staff training to resolve allegations that its HIPAA compliance program and practices were deficient. Cornell, while agreeing to settle the matter, didn't admit any liability for potential violations of the act.

The OCR said it opened a compliance review and investigation after receiving notification from a Denver news outlet regarding the disposal of unsecured documents containing the protected health information of 1,610 patients in an unlocked and open container on the pharmacy's premises. Cornell specializes in compounded medications and services for hospice care agencies in the Denver area, the OCR said.

It alleged that the documents weren't shredded and contained identifiable information regarding specific patients. The OCR also said that, during its investigation, it determined that Cornell failed to implement written policies and procedures and failed to provide training on policies and procedures to its workers as required by the Privacy Rule.

“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” OCR Director Jocelyn Samuels said in the bulletin. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper,” she said.

The resolution agreement is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cornell/cornell-cap.pdf.