The U.S. Department of Health and Human Services Office for Civil Rights (HHS) recently announced that it has reached an agreement with a small pharmacy to resolve potential HIPAA violations. The settlement arose from the disposal of unsecured paper documents containing protected health information (PHI) of the Pharmacy’s customers. The more well-known data breaches usually involve the improper disclosure of electronic PHI maintained by large covered entities, but this settlement is a good reminder that a covered entity, regardless of its size, must maintain the confidentially of PHI, regardless of whether it is maintained in electronic or non-electronic form.
HHS began its investigation in 2012 after being notified by a news station, which reported that documents containing the PHI of over 1,600 individuals had been discarded into an unsecured dumpster on the property of Cornell Prescription Pharmacy. These documents, which were not shredded, contained specifically identifiable information on the Pharmacy’s patients. Upon investigation, HHS determined the Pharmacy, which is a single-location pharmacy specializing in compounding medicines and providing services to local hospice care agencies, had violated the HIPAA Privacy Rule by:
- failing to reasonably safeguard PHI;
- failing to implement written policies and procedures; and
- failing to train employees on policies and procedures
Although the settlement was not an admission of liability, the Pharmacy agreed to pay HHS $125,000 and implement an extensive corrective action plan (CAP). Because the Pharmacy had never developed and adopted the policies and procedures required under the HIPAA Privacy Rule, the CAP imposed significant additional obligations, including the development and submission to HHS for approval the required policies and procedures. The Pharmacy is also required to conduct appropriate training and submit annual reports for two years regarding its compliance with the CAP. Because the Pharmacy had never adopted or implemented the required policies and procedures, the costs of complying with the CAP are likely to be significant and are in addition to the $125,000 settlement payment.
Although the HIPAA Privacy Rule has been in place for over a decade, this settlement demonstrates there are covered entities or business associates that are not fully compliant with applicable provisions of HIPAA. In connection with this settlement agreement, HHS released an FAQ document about proper disposal of paper and electronic PHI. The announcement of this settlement also likely signals increased enforcement activities by HHS in the coming months and highlights the importance for covered entities and business associates, whether large or small, to take appropriate steps to minimize the chances of impermissible disclosures of PHI (in any format) and any resulting enforcement action by HHS. At minimum, a covered entity or business associate should:
- Ensure their privacy and security policies and procedures reflect the requirements of the HITECH Act and the HIPAA Omnibus Rule that was effective September 23, 2013 and that workforce members are trained to implement and follow these policies and procedures;
- At least annually conduct a thorough risk analysis to identify and mitigate security risks and vulnerabilities associated with PHI and adopt or revise policies accordingly;
- In the event of a suspected privacy breach, timely comply with breach investigation and notification requirements; and
- Determine whether existing general liability or professional liability policies provide coverage for data breach incidents and if not, contact their insurance broker about obtaining such coverage.