The Department of Health and Human Services (“HHS”) recently announced a resolution agreement and $125,000 settlement with Cornell Prescription Pharmacy (“Cornell”) in connection with the disposal of prescription records in an unsecured dumpster on Cornell’s premises. After receiving a report from a Denver television station regarding Cornell’s disposal practices, the HHS’ Office for Civil Rights (“OCR”) investigated Cornell and found several HIPAA Privacy Rule violations, including that Cornell had failed to:
- reasonably safeguard protected health information (“PHI”);
- develop and implement policies and procedures to comply with the HIPAA Privacy Rule; and
- provide appropriate training to its workforce.
In the resolution agreement, Cornell agreed to pay a $125,000 settlement to HHS and enter into a Corrective Action Plan that requires Cornell to:
- develop and maintain HIPAA Privacy Rule policies and procedures that state that “paper PHI intended for disposal shall be shredded, burned, pulped, or pulverized so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed;”
- submit those policies and procedures to OCR for review and approval, and distribute them thereafter;
- provide training for its workforce;
- report any events of noncompliance with its HIPAA Privacy Rule policies and procedures; and
- submit annual compliance reports to HHS for a period of two years.
In the Bulletin accompanying the resolution agreement, OCR Director Jocelyn Samuels stated that “[r]egardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”
The settlement with Cornell highlights the importance of the proper disposal of pharmacy records and comes just three months after Safeway settled a case in California that involved the disposal of its pharmacy customers’ confidential information in the company’s dumpsters.