Denver area pharmacy draws penalty for HIPAA privacy violation

August 10, 2015

Note to pharmacies: Don't throw unshredded patient heath information into Dumpsters. Just don't.

Ned MilenkovichThe Department of Health and Human Services’ Office of Civil Rights (OCR) has announced a settlement with a Denver-area pharmacy in a case that centered on violation of HIPAA requirements through disposal of medical records in an unsecure manner.

See also: A HIPAA violation, a $1.8 million verdict, and three takeaways

In 2012, a local Denver news station notified the OCR that records had been found in open containers on the pharmacy’s premises. OCR opened an investigation and discovered intact medical records containing protected health information for more than 1,600 of the pharmacy’s patients. The investigation revealed that the pharmacy had failed to safeguard the protected health information of its patients, failed to implement written HIPAA policies, and failed to provide staff with training on its HIPAA policies and procedures.

National privacy standards

All three violations committed by the Denver pharmacy show failure to comply with HIPAA’s Privacy Rule, which establishes national standards to protect individuals’ medical records and other personal health information. The rule requires safeguards to protect the privacy of personal information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

See also: Omnibus Guidelines expected to brings changes to 340B program

Although the HIPAA Privacy Rule does not specify how covered entities must dispose of paper documents, it explains that facilities “must review their own circumstances to determine what steps are reasonable to safeguard protected health information through disposal, and develop and implement policies and procedures to carry out those steps.”

The settlement

In addition to the $125,000 fine, the pharmacy is required to adopt a corrective plan that will include the development of a comprehensive HIPAA policies and procedures manual. The procedures are required to include HIPAA training for all pharmacy employees. Each employee must then certify to having received the training, and the pharmacy must review the method and content of the training on an annual basis.

While announcing the settlement, OCR took the opportunity to reiterate the importance of secure disposal of paper medical records.

“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” said OCR director Jocelyn Samuels. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic or paper form.”

Disposal methods

According to the OCR, examples of proper methods of disposal include:

  • Shredding, burning, pulping, or pulverizing protected health information in paper records so that the information is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed before it is placed in a dumpster or other trash receptacle.

  • Maintaining protected health information in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the information.

  • In justifiable cases, based on the size and type of covered entity, and the nature of the protected health information, depositing it in locked dumpsters that are accessible only by authorized persons, such as appropriate refuse workers.  

Reminder to pharmacies

This recent OCR HIPAA enforcement action should serve as a reminder to pharmacies that are determined to be healthcare providers transacting electronically and that would therefore fall under the classification of a HIPAA “covered entity.” These pharmacies, like other HIPAA covered entities, are coming under increasing scrutiny by OCR, and to the extent necessary, they are being disciplined through monetary fines as well as required to undertake remedial corrective action to protect patient identifiable health information.