Colorado Compounding Pharmacy Enters Six-Figure Settlement Agreement to Settle Alleged HIPAA Privacy Rule Violations

Saul Ewing Arnstein & Lehr LLP


On April 27, 2015, the U.S. Department of Health and Human Services (HHS) announced that Cornell Prescription Pharmacy (CPP), a single-location pharmacy in the Denver, Colo. metropolitan area, agreed to settle alleged HIPAA Privacy Rule violations by paying a $125,000 fine and adopting a corrective action plan to correct its HIPAA deficiencies.

In January 2012, the HHS Office of Civil Rights (OCR) began a compliance review of CCP following a media report that unshredded documents containing protected health information (PHI) maintained by CPP were disposed of in a dumpster that was unlocked and accessible to the general public. The OCR investigation revealed the following:

  • CPP did not reasonably safeguard its PHI;
  • CPP did not implement written policies and procedures to comply with the HIPAA Privacy Rule; and
  • CPP did not provide nor document training on its HIPAA Privacy Rule policies and procedures for its workforce.

While the Settlement Agreement is not an admission of liability by CPP, CPP agreed to pay $125,000 to HHS and to enter into a Corrective Action Plan (CAP). The CAP requires CPP to do the following:

  • Develop, maintain and revise as needed policies and procedures that comply with the HIPAA Privacy Rule. These polices shall be assessed and updated and revised, as needed, no less frequently than annually;
  • Distribute policies approved by HHS to the CPP workforce;
  • Provide training to all members of CPP’s workforce;
  • Obtain a signed compliance certification from each member of the CPP workforce stating the workforce member has read, understands, and shall abide by the policies and procedures; and
  • Provide annual reports to HHS with respect to CPP’s compliance with the CAP.

The CAP will remain in effect for two (2) years unless HHS notifies CPP that it has determined CPP violated the CAP.

This most recent settlement underscores HHS’ commitment to enforcement of the Privacy Rule no matter the size of the covered entity. All covered entities and business associates should ensure they have current and compliant HIPAA privacy and security policies in place, have active training programs for members of their workforce, and remain vigilant in protecting PHI in their possession.

Saul Ewing attorneys are experienced in drafting compliant HIPAA privacy and security policies and procedures, responding to breach investigations, and drafting and reviewing business associate agreements. 

View Document(s):

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing Arnstein & Lehr LLP | Attorney Advertising

Written by:

Saul Ewing Arnstein & Lehr LLP

Saul Ewing Arnstein & Lehr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.