• linkedin
  • Increase Font
  • Sharebar

    Denver area pharmacy draws penalty for HIPAA privacy violation

    Settlement with OCR highlights need to meet HIPAA obligations

    Ned MilenkovichNed MilenkovichThe Department of Health and Human Services’ Office of Civil Rights (OCR) has announced a settlement with a Denver-area pharmacy in a case that centered on violation of HIPAA requirements through disposal of medical records in an unsecure manner.

    See also: A HIPAA violation, a $1.8 million verdict, and three takeaways

    In 2012, a local Denver news station notified the OCR that records had been found in open containers on the pharmacy’s premises. OCR opened an investigation and discovered intact medical records containing protected health information for more than 1,600 of the pharmacy’s patients. The investigation revealed that the pharmacy had failed to safeguard the protected health information of its patients, failed to implement written HIPAA policies, and failed to provide staff with training on its HIPAA policies and procedures.

    National privacy standards

    All three violations committed by the Denver pharmacy show failure to comply with HIPAA’s Privacy Rule, which establishes national standards to protect individuals’ medical records and other personal health information. The rule requires safeguards to protect the privacy of personal information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

    See also: Omnibus Guidelines expected to brings changes to 340B program

    Although the HIPAA Privacy Rule does not specify how covered entities must dispose of paper documents, it explains that facilities “must review their own circumstances to determine what steps are reasonable to safeguard protected health information through disposal, and develop and implement policies and procedures to carry out those steps.”

    The settlement

    In addition to the $125,000 fine, the pharmacy is required to adopt a corrective plan that will include the development of a comprehensive HIPAA policies and procedures manual. The procedures are required to include HIPAA training for all pharmacy employees. Each employee must then certify to having received the training, and the pharmacy must review the method and content of the training on an annual basis.

    While announcing the settlement, OCR took the opportunity to reiterate the importance of secure disposal of paper medical records.

    “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” said OCR director Jocelyn Samuels. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic or paper form.”

    Disposal methods

    According to the OCR, examples of proper methods of disposal include:

    • Shredding, burning, pulping, or pulverizing protected health information in paper records so that the information is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed before it is placed in a dumpster or other trash receptacle.

    • Maintaining protected health information in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the information.

    • In justifiable cases, based on the size and type of covered entity, and the nature of the protected health information, depositing it in locked dumpsters that are accessible only by authorized persons, such as appropriate refuse workers.

    Ned Milenkovich, PharmD, JD
    This article is not intended as legal advice and should not be used as such. When legal questions arise, pharmacists should consult with ...

    0 Comments

    You must be signed in to leave a comment. Registering is fast and free!

    All comments must follow the ModernMedicine Network community rules and terms of use, and will be moderated. ModernMedicine reserves the right to use the comments we receive, in whole or in part,in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

    • No comments available