The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced yesterday a new settlement relating to potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by Cornell Prescription Pharmacy (Cornell). Cornell is a small, single-location pharmacy that provides in-store and prescription services to patients in the Denver, Colorado metropolitan area, specializing in compounded medications and services for hospice care agencies in the area.

Cornell will pay $125,000 and adopt a corrective action plan to address deficiencies in its HIPAA compliance program. As part of its corrective action plan, Cornell will develop and implement a comprehensive set of policies and procedures to comply with the Privacy Rule and develop and provide staff training.

OCR opened a compliance review and investigation after receiving notification from a local Denver news outlet regarding the disposal of unsecured documents containing the protected health information (PHI) of 1,610 patients in an unlocked, open container on Cornell’s premises. The documents were not shredded and contained identifiable information regarding specific patients. Evidence obtained by OCR during its investigation reportedly revealed Cornell’s failure to implement any written policies and procedures as required by the HIPAA Privacy Rule. OCR also reports that Cornell failed to provide training on policies and procedures to its workforce as required by the Privacy Rule.

This new settlement emphasizes OCR’s expectations that covered entities, regardless of size, develop appropriate policies and procedures and training programs that address requirements of the HIPAA Privacy and Security Rules. OCR’s press release further emphasizes its expectation that organizations adopt and follow policies and procedures for secure disposal of PHI.