U.S. Department of Health and Human Services (HHS) announced late last week that
Cornell Prescription Pharmacy (Cornell) agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by
paying $125,000 and adopting a corrective action plan to resolve deficiencies in its HIPAA compliance program. While the settlement is significantly
smaller than many prior enforcement actions, the amount is substantial when taking into account that Cornell is a small, single-location pharmacy.
Cornell provides in-store and prescription services to patients in the Denver, Colorado, metropolitan area, and specializes in compounded medications and
services for hospice care agencies in the area. A complaint was submitted to HHS by a local Denver news outlet alleging that Cornell left on the pharmacy’s
premises an unlocked, open container of documents containing protected health information (PHI) of 1,610 individuals. It appeared that Cornell intended to
dispose of the documents, but had done so in an unsecured manner that resulted in a potential violation of the HIPAA Privacy Rule. The documents were not
shredded and contained identifiable information regarding specific patients. The HHS Office for Civil Rights (OCR) initiated an investigation that led to
the settlement with Cornell.
Many recent OCR enforcement actions related to HIPAA compliance have focused on failures to secure and safeguard electronic PHI (ePHI) properly on mobile
electronic devices such as laptops, and ePHI maintained on information systems. However, covered entities and business associates must not forget to be
equally vigilant with their protection of physical documents containing PHI, including medical records, patient lists and account statements. While the
HIPAA Privacy Rule does not specify how paper documents containing PHI must be disposed, the regulations require covered entities and business associates
to “review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and
procedures to carry out those steps.”
On the HHS website,
OCR offers answers to frequently asked
questions concerning HIPAA compliant disposal of protected health information.
OCR-recommended disposal methods for paper documents include:
- pulping or
The key is that all PHI must be rendered unreadable, indecipherable and otherwise impossible to reconstruct.
Commenting on this settlement, OCR Director Jocelyn Samuels stated, “Even in our increasingly electronic world, it is critical that policies and procedures
be in place for secure disposal of patient information, whether that information is in electronic form or on paper.” Thus, all covered entities and
business associates that handle paper documents containing PHI should implement and enforce policies on the proper disposal of such documents to prevent an
incident akin to the one that Cornell experienced.
During its investigation of Cornell, OCR also found that Cornell had failed to implement written policies and procedures required by the HIPAA Privacy Rule
and failed to provide training on policies and procedures to its workforce as required by the HIPAA Privacy Rule.
This enforcement action also reinforces OCR’s consistent position that the size of the covered entity or business associate is irrelevant to OCR when it
comes to HIPAA compliance and enforcement. “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or
other containers that are accessible by the public or other unauthorized persons,” Samuels said in a statement related to the Cornell settlement.
Cornell resolution agreement can be found on the OCR website.
If you have questions regarding this article or HIPAA compliance more generally, you may contact
Nathan Kottkamp at 804.775.1092,
Kim Kannensohn at
Meggan Bushee at 704.343.2360.