Just ask Cornell Prescription Pharmacy about disposal of unshredded paper pharmacy records containing protected health information (PHI), and you will hear that this pharmacy paid $125,000 plus it has entered a Resolution Agreement with the OCR. Not only is this pharmacy paying a significant penalty, it will be under a corrective action plan to correct deficiencies in their HIPAA compliance program and must submit the members of their workforce to receive training on that program within 30 days of implementing the policies and procedures.
Most troubling, Cornell Prescription Pharmacy is a small, single-location pharmacy providing in-store and prescription services to patients in the Denver, CO metro area. The OCR review resulting in the Resolution Agreement arose from reports from a local Denver news outlet alerting the public of disposal of documents containing PHI in unsecured dumpsters. This is not the first time the OCR has entered a Resolution Agreement for dumpster dumping of PHI. Two of the largest pharmacy chains, CVS Pharmacy and Rite Aid Corporation, entered Resolution Agreements in 2009 and 2010 after news media reported discovering patients’ PHI dumped in the pharmacies’ unsecured dumpsters. The announcement of the Cornell Prescription Pharmacy Resolution Agreement demonstrates the importance the OCR places on HIPAA compliance. This Resolution Agreement serves as a reminder that paper records need to be disposed of in a proper manner to prevent a breach of PHI.
Compliance policies and procedures are required by HIPAA/HITECH to ensure the privacy and security of PHI. The HIPAA/HITECH Final Rule is in force now, Covered Entities need to be certain to update their privacy policies and procedures to be in compliance with the Final Rule. Be sure to speak to a qualified attorney to determine how you can ensure compliance.
By Denise Bloch