Home Health & Hospice Week

Pharmacy serving hospice patients sees settlement based on paper records breach.

It may not be a large-scale federal HIPAA audit initiative that exposes you to huge fines and settlements. The local press getting a whiff of improprieties with patients’ health information is enough to sink you, a recent example shows.

After receiving notification from a local Denver news outlet, the HHS Office for Civil Rights opened a compliance review and investigation of Cornell Prescription Pharmacy. Specific-ally, the news outlet notified OCR that Cornell disposed of unsecured documents containing the protected health information (PHI) of 1,610 patients in an unlocked, open container on the pharmacy’s premises.

According to OCR, Cornell is a small, single-location pharmacy that provides in-store and prescription services in the Denver metropolitan area, specializing in compounded medications and services for local hospice agencies.

Cornell did not shred the documents, which contained identifiable information regarding specific patients, OCR says. The investigation revealed that Cornell failed to implement any written policies and procedures required by the HIPAA Privacy Rule, and failed to provide training on policies and procedures to its workforce.

Consequences: As a result of the investigation and compliance review, Cornell agreed to a settlement and Resolution Agreement with OCR, in which the pharmacy pays $125,000 and adopts a Corrective Action Plan (CAP) to correct deficiencies in its HIPAA compliance program. The agreement also requires Cornell to develop and implement a comprehensive set of policies and procedures to comply with the HIPAA Privacy Rule, as well as develop and provide staff training.

HIPAA Settlement Amounts Can Get Bigger — A Lot Bigger

Despite being in the six-figure range, some industry experts are questioning why the settlement amount was so low. In fact, the first Resolution Agreement with Cornell showed a payment of $767,520, but it was dropped to only a $125,000 settlement amount, attorney Matt Fisher, co-chair of Mirick O’Connell’s Health Law Group, noted in a blog post. “No information has been provided to explain the reduction,” Fisher noted. “One possible answer is that Cornell is a very small entity and may not have been able to afford the higher resolution amount.”

Caveat: Cornell is still vulnerable to additional significant fines, however. If during the next two years OCR finds that Cornell is in breach of the CAP or the terms of the Resolution Agreement, OCR could impose additional civil monetary penalties on the pharmacy, noted attorney Laurie Cohen in analysis posted for the law firm Nixon Peabody.

Look out: And recent fines may likely pale in comparison to fines that OCR will levy in the future, but “the resolution amounts remain wildly unpredictable,” Fisher said. “It will be a safe bet that any problems found in an audit will result in higher fines being assessed” — which is all the more reason to get your HIPAA compliance in order right now, rather than having an audit uncover deficiencies.

Feds Looking For Providers Without HIPAA P&P

In addition to the reduced fine, another surprising revelation in the Cornell case is the fact that the pharmacy had no HIPAA policies or procedures in place. But Cornell is shockingly not alone in this — “multiple surveys recently have found that a lack of knowledge about HIPAA is still fairly widespread,” despite HIPAA being around for nearly 20 years, Fisher pointed out.

Whether noncompliance is due to an unintentional lack of awareness or something more deliberate is unclear. “No matter the reason, the government is clearly monitoring and looking for organizations that are not in compliance,” Fisher warned.

And the speed at which OCR responded to the notification from the Denver news outlet about the improperly discarded records is also a bit of an eye-opener — OCR initiated its compliance review and investigation of Cornell just two days after receiving the notification, pointed out New York City-based attorney Jordan Cohen in analysis for law firm Mintz Levin.

Beware: The Cornell agreement is likely only the tip of the HIPAA enforcement iceberg. “Recent news reports and rumors indicate that HHS is just ramping up its enforcement work on HIPAA, and this may be only the first indication of a coming flood of settlement agreements for HIPAA violations,” warns Jim Sheldon-Dean with Lewis Creek Systems in Charlotte, Vt.

Lesson learned: “This most recent settlement underscores HHS’ commitment to enforcement of the Privacy Rule no matter the size of the covered entity,” cautioned attorneys Bruce Armon and Karilynn Bayus of Saul Ewing LLP in analysis published in the JDSUPRA Business Adviser. “All covered entities and business associates should ensure they have current and compliant HIPAA privacy and security policies in place, have active training programs for members of their workforce, and remain vigilant in protecting PHI in their possession.” v

Note: You can read the Resolution Agree-ment with Cornell at www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cornell.html. HHS also released an FAQ document on the disposal of PHI at www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.