On April 27, 2015, the U.S. Department of Health and Human Services (HHS) announced that Cornell Prescription Pharmacy (CPP), a single-location pharmacy in the Denver, Colo. metropolitan area, agreed to settle alleged HIPAA Privacy Rule violations by paying a $125,000 fine and adopting a corrective action plan to correct its HIPAA deficiencies.
In January 2012, the HHS Office of Civil Rights (OCR) began a compliance review of CCP following a media report that unshredded documents containing protected health information (PHI) maintained by CPP were disposed of in a dumpster that was unlocked and accessible to the general public. The OCR investigation revealed the following:
CPP did not reasonably safeguard its PHI;
CPP did not implement written policies and procedures to comply with the HIPAA Privacy Rule; and
CPP did not provide nor document training on its HIPAA Privacy Rule policies and procedures for its workforce.
While the Settlement Agreement is not an admission of liability by CPP, CPP agreed to pay $125,000 to HHS and to enter into a Corrective Action Plan (CAP). The CAP requires CPP to do the following:
Develop, maintain and revise as needed policies and procedures that comply with the HIPAA Privacy Rule. These polices shall be assessed and updated and revised, as needed, no less frequently than annually;
Distribute policies approved by HHS to the CPP workforce;
Provide training to all members of CPP’s workforce;
Obtain a signed compliance certification from each member of the CPP workforce stating the workforce member has read, understands, and shall abide by the policies and procedures; and
Provide annual reports to HHS with respect to CPP’s compliance with the CAP.
The CAP will remain in effect for two (2) years unless HHS notifies CPP that it has determined CPP violated the CAP.
This most recent settlement underscores HHS’ commitment to enforcement of the Privacy Rule no matter the size of the covered entity. All covered entities and business associates should ensure they have current and compliant HIPAA privacy and security policies in place, have active training programs for members of their workforce, and remain vigilant in protecting PHI in their possession.
Saul Ewing attorneys are experienced in drafting compliant HIPAA privacy and security policies and procedures, responding to breach investigations, and drafting and reviewing business associate agreements.