On Monday, April 27, 2015, the Department of Health and Human Services ("HHS"), Office for Civil Rights ("OCR") announced a settlement with Cornell Prescription Pharmacy ("Cornell"). Under the Resolution Agreement, Cornell agreed to pay HHS $125,000 and adopt a Corrective Action Plan ("CAP") to address the deficiencies in its HIPAA compliance program.
Significantly, the $125,000 settlement does not take into account the time, labor and most likely legal fees that were required to navigate through the investigation or will be required to comply with the CAP. There is no question that proactively implementing, maintaining and training on measures to protect patient information ultimately reduces costs and limits exposure to government enforcement and the quick-rising tide of state court lawsuits targeting data breaches.
In January 2012, the small compounding pharmacy in Colorado became the subject of a federal investigation for potential violations of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") after a local Denver, Colorado news station found records for 1,610 individuals in an unlocked, open container that was accessible to the public outside of Cornell's facility. The records were not shredded, and the information was not otherwise de-identified.
After the investigation was initiated, OCR identified additional HIPAA deficiencies, including Cornell's failure to implement HIPAA policies and procedures or to properly train its workforce members. In the CAP, Cornell agreed—among other things—to:
Develop written policies and procedures and to provide those policies and procedures to HHS within 30 days of the execution of the Resolution Agreement. The policies and procedures must be implemented within 30 days of receipt of HHS' final approval.
Obtain a signed certification from each member of its workforce that he/she has read, understands and agrees to abide by the HIPAA policies and procedures.
Report to HHS within 60 days after receiving HHS' approval of the HIPAA policies and procedures and then annually for at least two years – on the status of its implementation of the obligations of the CAP.
In the press release announcing the settlement, OCR pointed out that Cornell was a "small, single-location pharmacy," and OCR Director Jocelyn Samuels has made clear: "Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons."
This settlement, like OCR's settlement with Phoenix Cardiac Surgery (which was similarly resolved with a payment of $100,000 and a CAP) demonstrates OCR's commitment to enforcing HIPAA across the health care spectrum, regardless of the size or type of entity.
The OCR press release and Resolution Agreement are available online here.