Pharmacy Fined $125,000 for BreachPaper Patient Records Not Properly Destroyed
A small Denver compounding pharmacy has been slammed with a $125,000 federal penalty for a 2012 breach involving improper disposal of paper patient records. It's the second such HIPAA enforcement action within a year by federal regulators tied to an incident involving records dumping by a covered entity.
In an April 27 statement, the Department of Health and Human Services' Office for Civil Rights says Cornell Prescription Pharmacy has agreed to a HIPAA settlement that includes the $125,000 penalty and calls for adopting a corrective action plan to correct deficiencies in its compliance program.
Cornell is a single-location pharmacy that specializes in compounded medications and related services for hospice care agencies in the region.
Proper PHI Disposal
"Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons," says OCR Director Jocelyn Samuels. "Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper."
OCR launched a compliance review and investigation in February 2012 after the agency received notification from a Denver news outlet regarding the disposal of unshredded documents containing the protected health information of 1,610 patients in an unlocked, open container on Cornell's premises.
OCR's investigation determined Cornell failed to implement any written policies and procedures as required by the HIPAA Privacy Rule. The pharmacy also failed to provide training on policies and procedures to its workforce as required by HIPAA, OCR says.
OCR last June approved an $800,000 HIPAA settlement with Parkview Health System, an Indiana-based community health system, tied to an incident involving paper records dumping. In that case, the organization was cited for leaving 71 cardboard boxes of medical records on thousands of patients unattended and accessible to unauthorized persons on the driveway of a retiring physician's home (see $800,000 Penalty for Paper Records Breach).
An in addition to the Parkview case, OCR has issued hefty settlements for several other breaches involving improper disposal of PHI.
"The latest OCR settlement is almost identical to 2009 and 2010 settlements against CVS and Rite Aid over the pharmacies allegedly dumping protected health information in publicly-accessible waste containers," says privacy attorney Adam Greene of law firm Davis Wright Tremaine.
"In both of those cases, as in the current case with Cornell Prescription Pharmacy, the OCR investigation was triggered by a local television news report identifying the issue at local pharmacies," Greene notes. "In response to the CVS and Rite Aid cases, OCR issued specific guidance on properly disposing of protected health information. Apparently, when OCR learned of a news report indicating that a pharmacy was not heeding this guidance, OCR determined that an additional settlement was needed."
Covered entities and business associates should closely track OCR settlement agreements "and ensure that any similar issues are addressed within your own organization," Greene stresses.
Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he's surprised there haven't been even more such enforcement actions by OCR for these kinds of improper disposal cases.
There have been approximately 30 large breaches since April 2011 that have involved covered entities or business associates that failed to make paper or printed PHI unreadable or indecipherable, "such as by shredding into itty-bitty pieces," says Holtzman, who was a senior adviser at OCR prior to joining CynergisTek in 2013. "This [latest] case represents a drop in the bucket."
Corrective Action Plan
As part of its resolution agreement with OCR, Cornell has agreed to implement a corrective action plan that includes developing, maintaining and revising, as necessary, written policies and procedures to comply with the HIPAA Privacy Rule and submitting documentation of those policies and procedures to OCR for its review and approval.
The policies and procedures must include administrative and physical safeguards for the disposal of all non-electronic PHI, including those records being "shredded, burned, pulped or pulverized so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed."
The pharmacy also agreed to distribute those policies and procedures to all members of its workforce within 30 days of OCR approving them and to also issue those policies and procedures to new members of the workforce within 30 days of their beginning of service.
In addition, the pharmacy agreed to provide its workforce HIPAA privacy training and to report violations of its privacy policies and procedures by its workforce to OCR.
More Settlements Soon?
Some privacy and security experts believe the resolution agreement with Cornell could be the first of several additional enforcement actions in the works at OCR for 2015, including cases involving other examples of HIPAA non-compliance.
"This is likely the beginning of a more active phase of OCR enforcement that we have been anticipating," Holtzman says. "I believe that OCR has been investigating a number significant investigations and compliance reviews, many resulting from breaches reported to HHS."
Holtzman adds: "I do not believe that OCR limits itself to reserving its enforcement resources to a predetermined checklist or agenda prioritizing one type of incident over another."
In a recent interview with Information Security Media Group, Greene also predicted that OCR will likely announce a number of eye-popping financial settlements for HIPAA violations later this year (see Could Big HIPAA Settlement be Coming?).