A settlement announced this week by the Department of Health and Human Services, Office for Civil Rights (“OCR”) reminds us of the importance of properly disposing of paper medical records. OCR and Cornell Prescription Pharmacy (“Cornell”) have entered into a resolution agreement to settle allegations that Cornell violated HIPAA by disposing of medical records in an unsecure dumpster. Cornell is a small, single-location compounding pharmacy that provides in-store and prescription services to patients in the Denver, Colorado metropolitan area.

Under the resolution agreement, Cornell is required to pay $125,000 and adopt a corrective action plan which includes developing a comprehensive set of HIPAA policies and procedures and developing and providing staff training on HIPAA.

OCR opened its investigation into Cornell after receiving notification from a local Denver news station that Cornell disposed of un-shredded medical records containing protected health information (“PHI”) of 1,610 patients in an unlocked, open dumpster on Cornell’s premises. OCR’s investigation revealed that Cornell (1) failed to reasonably safeguard PHI, (2) failed to implement written HIPAA policies and procedures, and (3) did not provide, and did not document, staff training on its HIPAA policies and procedures.

In OCR’s announcement of the resolution agreement, OCR highlighted the continuing importance of secure disposal of paper medical records. “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” said OCR Director Jocelyn Samuels. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”