OCR Announces Another HIPAA Settlement and Warns Not to Forget About Paper Records

On April 27, 2015, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that Cornell Prescription Pharmacy (“Cornell Pharmacy”) had entered into a resolution agreement to settle, without an admission of liability or wrongdoing, potential HIPAA violations.  As part of the resolution agreement Cornell Pharmacy will pay $125,000 and enter into a two-year corrective action plan (“CAP”) focused on correcting the alleged deficiencies in its HIPAA compliance program.  

Cornell Pharmacy is a small, single store pharmacy located in Denver, Colorado that specializes in compound medications and providing services for local hospice agencies.  OCR began an investigation into the pharmacy after it received a media report from a Denver news agency that protected health information (“PHI”) belonging to Cornell Pharmacy was apparently disposed of and found in an unlocked, publically accessible dumpster.  The documents were not shredded and contained the PHI of approximately 1,610 of Cornell Pharmacy’s patients.   After conducting its investigation, OCR concluded that Cornell Pharmacy failed to implement any written policies and procedures as required by HIPAA’s Privacy Rule, and further failed to provide training on the Privacy Rule to its workforce members.

This settlement is instructive as OCR again highlights the importance of having updated and comprehensive HIPAA policies and procedures in place, including policies on the proper disposal of PHI, and on training all staff on those policies and procedures.   Further, in this year of massive cyber-attacks and other breaches of electronic data, this HIPAA settlement serves to remind covered entities and business associates not to forget about protecting their paper records as well.   As stated by OCR in its press release, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”  As discovered by Cornell Pharmacy, a breach or other improper disclosure of paper PHI can also result in significant consequences. 

For further information please contact the author, Gregory M. Fliszar (Philadelphia, PA), or other members of Cozen O’Connor’s healthcare team.

Links:

resolution agreement:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cornell/cornell-cap.pdf

press release:
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cornell/cornell-press-release.html

About The Author

Gregory M. Fliszar is a member in the Business Law Department and resides in the firm’s Philadelphia office. He recently returned to Cozen O'Connor after briefly serving as Associate General Counsel to Universal Health Services. Greg focuses his practice on health law and handles a variety of health law litigation and regulatory and compliance matters for a number of different types of health care providers including hospitals, hospices, mental health providers, and physician groups. He has significant experience with HIPAA and privacy issues and has counseled insurance company clients on understanding their obligations under the Medicare Secondary Payer Act. He has written and spoken about a number of health law issues including HIPAA and privacy/confidentiality issues as well as the Medicare Secondary Payer Act.

Posted in Data Breach, Data Security, HIPAA

Leave a Reply

Your email address will not be published. Required fields are marked *

*

About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates

cyberlawmonitor

Cozen O’Connor Blogs