Yesterday, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that Cornell Prescription Pharmacy of Denver, Colorado (“Cornell Pharmacy”) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  Cornell Pharmacy, a single location pharmacy, will pay a $125,000 penalty and also enter into a two year Corrective Action Plan (“CAP”) to improve its HIPAA compliance program.

OCR first learned of Cornell Pharmacy’s potential HIPAA violations upon receipt of notification from a local Denver news outlet in January 2012.  The news outlet informed OCR that Cornell Pharmacy appeared to have disposed of unsecured documents containing patient information in a public dumpster.  Upon investigation, OCR confirmed that documents containing PHI of 1,610 patients had been disposed of in an unlocked, publicly accessible dumpster.  OCR did not publicize whether any such information has been misused to date.  OCR also found that Cornell Pharmacy had not implemented written policies and procedures required by HIPAA, nor had Cornell Pharmacy provided adequate HIPAA training to its workforce as required by law.  Pursuant to its CAP, Cornell Pharmacy will develop and adopt written HIPAA policies and procedures that must be reviewed and approved by OCR.  Additionally, Cornell Pharmacy will train its workforce on HIPAA and promptly submit reports of non-compliance with HIPAA to OCR.

In connection with this settlement, OCR Director Jocelyn Samuels released a statement regarding the importance of proper disposal of both paper and electronic patient records.  She explained that “regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons…It is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”  Thus, this settlement reflects OCR’s continued concern regarding proper disposal of records containing patient information.

This settlement has been added to Cooley’s “Select HIPAA Privacy and Security Enforcement Actions Tracker” that may be accessed on the right side of this page or under the “Resources” tab above.