U.S. Department of Health and Human Services (HHS) announced late last week that Cornell Prescription Pharmacy (Cornell) agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by paying $125,000 and adopting a corrective action plan to resolve deficiencies in its HIPAA compliance program. While the settlement is significantly smaller than many prior enforcement actions, the amount is substantial when taking into account that Cornell is a small, single-location pharmacy.

Cornell provides in-store and prescription services to patients in the Denver, Colorado, metropolitan area, and specializes in compounded medications and services for hospice care agencies in the area. A complaint was submitted to HHS by a local Denver news outlet alleging that Cornell left on the pharmacy’s premises an unlocked, open container of documents containing protected health information (PHI) of 1,610 individuals. It appeared that Cornell intended to dispose of the documents, but had done so in an unsecured manner that resulted in a potential violation of the HIPAA Privacy Rule. The documents were not shredded and contained identifiable information regarding specific patients. The HHS Office for Civil Rights (OCR) initiated an investigation that led to the settlement with Cornell.

Many recent OCR enforcement actions related to HIPAA compliance have focused on failures to secure and safeguard electronic PHI (ePHI) properly on mobile electronic devices such as laptops, and ePHI maintained on information systems. However, covered entities and business associates must not forget to be equally vigilant with their protection of physical documents containing PHI, including medical records, patient lists and account statements. While the HIPAA Privacy Rule does not specify how paper documents containing PHI must be disposed, the regulations require covered entities and business associates to “review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps.”

On the HHS website, OCR offers answers to frequently asked questions concerning HIPAA compliant disposal of protected health information.

OCR-recommended disposal methods for paper documents include:

  1. shredding,
  2. burning,
  3. pulping or
  4. pulverizing.

The key is that all PHI must be rendered unreadable, indecipherable and otherwise impossible to reconstruct.

Commenting on this settlement, OCR Director Jocelyn Samuels stated, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.” Thus, all covered entities and business associates that handle paper documents containing PHI should implement and enforce policies on the proper disposal of such documents to prevent an incident akin to the one that Cornell experienced.

During its investigation of Cornell, OCR also found that Cornell had failed to implement written policies and procedures required by the HIPAA Privacy Rule and failed to provide training on policies and procedures to its workforce as required by the HIPAA Privacy Rule.

This enforcement action also reinforces OCR’s consistent position that the size of the covered entity or business associate is irrelevant to OCR when it comes to HIPAA compliance and enforcement. “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” Samuels said in a statement related to the Cornell settlement.

The Cornell resolution agreement can be found on the OCR website.