The mega data breaches to hit large insurers and healthcare providers have been making the headlines in recent months; however the Department of Health and Human Services’ Office for Civil Rights (OCR) showed yesterday that even smaller healthcare providers must abide by HIPAA Rules or face the consequences.
Yesterday, the OCR issued a statement on the latest settlement to be reached with a healthcare provider for violations of HIPAA Rules. The OCR announced that it has reached a settlement for $125,000 with a Denver-based healthcare provider, Cornell Pharmacy, following the improper disposal of patient health records. Cornell Pharmacy is a single location healthcare provider that mostly serves hospice care organizations in Denver and provides compound medications.
HIPAA-Covered Entities of All Sizes Must Obey HIPAA Rules
The Office for Civil Rights has been cracking down on HIPAA violations in recent years and has issued a number of large fines to organizations that fail to abide by HIPAA Privacy and Security Rules. Organizations large and small are being investigated by the OCR and fines are being issued when serious violations of HIPAA are discovered.
The move to electronic health records has increased the risk of data breaches and covered entities (CEs) have had to respond by improving their defenses against cyber attacks. However, HIPAA also covers paper records and the same rules apply to protecting that data as electronic health records.
Jocelyn Samuels, Director of the Office for Civil Rights, spoke out about the latest fine and issued a warning to healthcare providers – and other CEs – that HIPAA violations would not be tolerated. She confirmed that if HIPAA Privacy and Security Rules are not followed there will be consequences.
“Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.” She also said that “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”
OCR Investigation Uncovered Numerous HIPAA Violations
The latest settlement relates to HIPAA violations that took place in 2012. The Office for Civil Rights launched an investigation after it was alerted to potential HIPAA violations stemming from the improper disposal of medical records. The data breach involved 1,610 patient medical records being left in an open container on the premises of the Cornell Pharmacy. This is a breach of the HIPAA Security Rule, which requires physical, technical and administrative controls to be implemented to ensure that Protected Health Information (PHI) is safeguarded.
Under HIPAA Rules, when ePHI or PHI is no longer required it must be securely disposed of and data must be rendered unreadable. According to advice issued by the OCR, “Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle.”
The OCR also discovered numerous HIPAA violations during the course of the Cornell Pharmacy investigation. It was established that the healthcare provider had failed to document policies and procedures as required by the HIPAA Privacy Rule and also failed to provide training to the pharmacy staff on HIPAA Rules.
As a result, in addition to the large HIPAA penalty, the pharmacy will be required to adopt an action plan to ensure that all HIPAA Rules are followed in future and the necessary policies and procedures are developed in this regard. Cornell Pharmacy has agreed to implement HIPAA policies and procedures within 30 days and provide training to all staff on HIPAA Privacy Rules.