On April 27, 2015, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) handed down a $125,000 settlement to a small, single-location pharmacy based out of Denver, Colorado called Cornell Prescription Pharmacy. This case proved landmark in the history of HIPAA enforcement because of OCR’s decision to investigate such a small-scale data breach on the national level.
Cornell Prescription Pharmacy was a small, single-location pharmacy based out of Denver, Colorado. The $125,000 settlement was announced on April 27, 2015 in response to OCR’s findings over the course of its investigation.
The investigation began when OCR received notice from a Denver news outlet, which claimed that documents containing the protected health information (PHI) of some 1,610 patients had been improperly disposed of on Cornell’s premises.
OCR discovered that the information in question was unsecured, not shredded, and contained personally identifiable information. Additionally, the investigators uncovered that Cornell had failed to implement any written policies or procedures, leading to serious violations of the HIPAA Privacy Rule.
Prior to Cornell, settlements with large retail pharmacy chains such as CVS and Rite Aid had been highly publicized. Independent pharmacies and small-scale franchises had not yet been subject to major settlements, and the industry continued to operate under the federal regulation without serious scrutiny.
OCR Director Jocelyn Samuels commented on the settlement, saying that: “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.” She continued, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”
What the Cornell settlement proves, more than anything, is that HIPAA enforcement is changing its face. Large-scale investigations are still going to rank high among OCR’s priorities. But organizations, such as independent pharmacies, that have historically been spared the burdens of HIPAA enforcement are now being investigated for the same chronic non-compliance as the rest of the health care industry.
Finding a HIPAA solution that caters to the needs of health care organizations in today’s market has become more important than ever before, which is why implementing a HIPAA compliance software is one of the best ways to mitigate exposure to this growing area of national risk.