On April 22, 2015, Cornell Prescription Pharmacy (Cornell), a small pharmacy with a single location in the Denver, Colorado area, agreed to settle potential violations of the HIPAA Privacy Rule with the Department of Health and Human Services Office for Civil Rights (“OCR”). The settlement requires Cornell to pay a $125,000 fine and agree to implement a Corrective Action Plan (“CAP”). The settlement is the result of an OCR investigation commenced after OCR received a tip from a local news outlet that Cornell had improperly disposed of documents containing Protected Health Information (PHI) of its patients. In the course of the investigation, OCR discovered that Cornell had left documents containing PHI of 1,610 patients in a publicly-accessible dumpster without shredding the information. The investigation also revealed that Cornell had not implemented any written policies and procedures or trained its workforce as required by the HIPAA Privacy Rule. Thus, in addition to the fine, the CAP requires Cornell to draft policies and procedures governing the security, use, and disclosure of PHI, to train its workforce on those policies, and to report to OCR periodically on the progress of those efforts.
This marks one of only a handful of OCR settlements, few of which have focused on improper disposal of paper records under the Privacy Rule. Unlike the HIPAA Security Rule (which applies only to electronic PHI and contains detailed requirements for securing that information), the Privacy Rule (which generically requires sufficient administrative, technical, and physical safeguards) applies to all PHI in paper or electronic form. The settlement serves as a reminder that, even in an age of increased reliance on electronic records, Covered Entities and Business Associates must continue to pay careful attention to how paper records containing PHI are handled and disposed.