On April 24, 2015, the HHS Office for Civil Rights (“OCR”) once again stressed the importance of properly disposing of protected health information (“PHI”) when it announced its settlement and corrective action plan with Cornell Prescription Pharmacy (“CPP”), a small for-profit, single location, compounding pharmacy located in Denver, Colorado. CPP has agreed to pay $125,000 and enter into a corrective action plan (“CAP”) to settle potential violations of the HIPAA Privacy Rule.

Only two days after receiving a media report from a local news station regarding CPP’s disposal of PHI in an unsecured, publically accessible dumpster container located on CPP’s premises, OCR opened a compliance review and investigation of CPP on January 13, 2012. The media reported that the documents contained the PHI of 1,610. Despite CPP’s small size, OCR Director Jocelyn Samuels stressed that all covered entities are held to the same standards when it comes to HIPAA and the protection of PHI. Ms. Samuels stated, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.” Beyond the improper disposal of PHI, OCR’s investigation also indicated that CPP had failed to implement the proper written policies, procedures, and training on its policies and procedures to comply with the Privacy Rule.

Therefore, in addition to the $125,000 monetary settlement, the Resolution Agreement between CPP and OCR included a two-year CAP that requires CPP to, among other actions: (1) implement written policies and procedures that include physical and administrative safeguards for the secure disposal of all non-electronic PHI and comply with HIPAA standards governing the privacy of individually identifiable health information; (2) distribute the policies and procedures to members of CPP’s workforce; and (3) conduct regular training sessions for members of the workforce and require that these individuals execute a training certification form before accessing PHI in any manner. The CAP also requires CPP to notify OCR within 30 days of a violation of its implemented policies and procedures or the HIPAA Rules. Lastly, CPP must provide OCR with an “Implementation Report” summarizing the status of CPP’s obligations under the CAP and “Annual Reports” outlining CPP’s progress under the CAP.

As previously demonstrated, this investigation and resulting settlement demonstrates that OCR will not alter its enforcement response based on the small size of the covered entity or the relatively limited number of patients involved in any potential HIPAA violation. It also reminds covered entities and business associates that OCR is paying close attention to reports of potential violations that arise out of any media outlet or other viable source. Finally, this settlement reaffirms that covered entities and business associates must take proactive measures and implement and regularly update comprehensive policies and procedures that contain a process for the safe and secure disposal of paper and electronic documents containing PHI.

For additional information on OCR’s enforcement activities, visit the U.S. Department of Health and Human Services website.