On April 27, 2015, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced that it entered into a settlement with a Colorado pharmacy (“Pharmacy”) arising from alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule.  Under the settlement, the Pharmacy agreed to pay $125,000 in fines and to adopt a Corrective Action Plan to correct deficiencies in its HIPAA compliance program.  The Pharmacy is a small, single-location pharmacy that provides prescription drugs to residents of the Denver metropolitan area.

On January 13, 2012, OCR initiated a compliance review and investigation of the Pharmacy following a story aired by a local news station revealing that the Pharmacy had disposed of the unsecured hard copy protected health information (“PHI”) of 1,610 patients in a publicly accessible dumpster.  Upon the conclusion of its investigation, OCR concluded that the Pharmacy failed to:  (a) reasonably safeguard PHI; (b) implement written HIPAA privacy policies and procedures; and (c) train its workforce on its policies and procedures.

OCR and the Pharmacy entered into a Resolution Agreement and Corrective Action Plan that, in addition to the monetary payment, requires the Pharmacy to develop and implement a comprehensive set of policies and procedures to comply with the HIPAA Privacy Rule, to train its workforce in those policies and procedures and to appropriately document such training.  The Corrective Action Plan also sets minimum standards for the content of the policies and workforce training.

In a press release announcing the settlement, OCR Director Jocelyn Samuels emphasized that “[r]egardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.  Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”

Practical Takeaways

In light of this enforcement action, covered entities of all types, regardless of their size, should take the necessary steps to ensure that they have comprehensive and effective HIPAA compliance programs, including:

  • Ensuring that PHI in paper format is shredded, destroyed or otherwise rendered secured prior to disposal;
  • Implementing policies and procedures to meet the requirements of the HIPAA Privacy Rule;
  • Conducting comprehensive risk analyses to identify and evaluate security vulnerabilities for all PHI;
  • Reviewing and revising privacy and security polices frequently to ensure that PHI is safeguarded;
  • Providing and updating privacy and security training for workforce members periodically; and
  • Investigating and appropriately sanctioning workforce members promptly for violations of HIPAA policies and procedures.

More information on this enforcement action, including the Resolution Agreement and the HHS press release, is available here.