OCR Announces Another HIPAA Settlement and Warns Not to Forget About Paper Records

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/ocr-announces-another-hipaa-settlement-a-51724/

On April 27, 2015, the U.S. Department of Health and Human Services (“HHS”)
Office for Civil Rights (“OCR”) announced that Cornell Prescription
Pharmacy (“Cornell Pharmacy”) had entered into a resolution agreement to
settle, without an admission of liability or wrongdoing, potential HIPAA
violations. As part of the resolution agreement Cornell Pharmacy will pay
$125,000 and enter into a two-year corrective action plan (“CAP”) focused
on correcting the alleged deficiencies in its HIPAA compliance program.

Cornell Pharmacy is a small, single store pharmacy located in Denver,
Colorado that specializes in compound medications and providing services
for local hospice agencies. OCR began an investigation into the pharmacy
after it received a media report from a Denver news agency that protected
health information (“PHI”) belonging to Cornell Pharmacy was apparently
disposed of and found in an unlocked, publically accessible dumpster. The
documents were not shredded and contained the PHI of approximately 1,610 of
Cornell Pharmacy’s patients.   After conducting its investigation, OCR
concluded that Cornell Pharmacy failed to implement any written policies
and procedures as required by HIPAA’s Privacy Rule, and further failed to
provide training on the Privacy Rule to its workforce members.

This settlement is instructive as OCR again highlights the importance of
having updated and comprehensive HIPAA policies and procedures in place,
including policies on the proper disposal of PHI, and on training all staff
on those policies and procedures.   Further, in this year of massive
cyber-attacks and other breaches of electronic data, this HIPAA settlement
serves to remind covered entities and business associates not to forget
about protecting their paper records as well.   As stated by OCR in its
press release, “Even in our increasingly electronic world, it is critical
that policies and procedures be in place for secure disposal of patient
information, whether that information is in electronic form or on paper.”
As discovered by Cornell Pharmacy, a breach or other improper disclosure of
paper PHI can also result in significant consequences.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!