Although there has been significant focus and attention on recent security breaches involving electronic patient records, the obligation to secure paper records is equally important. Following a media report in January 2012 that patient records were found in a dumpster, the Office of Civil Rights (OCR) initiated an investigation into the privacy and security practices of a Denver pharmacy. As a result of the investigation, OCR announced this past week that the pharmacy will pay a fine of $125,000.00 and also has entered into a Corrective Action Plan (CAP).
Not only had the pharmacy in question disposed of patient records by throwing them in a dumpster, the pharmacy was found not to have written privacy policies and procedures in place nor had it provided or documented the provision of workforce training. By the terms of the CAP the pharmacy is required to develop and implement written HIPAA policies and procedures to address the privacy and security of protected health information. The CAP also requires, upon the pharmacy’s distribution of its HIPAA policies and procedures to existing and new workforce members, that each signs a compliance certificate stating that he/she “has read, understands and shall abide by such policies and procedures.” Regardless of the size of the covered entity and how it satisfies the requirement to train its workforce, it is strongly recommended that each workforce member be required to sign a compliance certificate acknowledging his/her understanding of the covered entity’s HIPAA policies and agreement to comply with such policies.
Although the pharmacy is to pay a significant fine to resolve this matter, it remains at risk for the imposition of additional civil monetary penalties if during the next two years it is found in breach of the CAP or the terms of the resolution agreement.
Find the Resolution Agreement and Corrective Action Plan here.
For guidance on the proper disposal of protected health information, see OCR FAQs here.