Tip: Shredding records is critical.
The speed at which the HHS Office for Civil Rights (OCR) responded to a notification from a Denver news outlet about improperly discarded records is a bit of an eye-opener; especially for those who think that HIPAA compliance is all about electronic health records and breaches.
Background: After receiving notification from a local Denver news outlet, the OCR opened a compliance review and investigation of Cornell Prescription Pharmacy. Specifically, the news outlet notified OCR that Cornell disposed of unsecured documents containing the protected health information (PHI) of 1,610 patients in an unlocked, open container on the pharmacy’s premises.
Cornell did not shred the documents, which contained identifiable information regarding specific patients, OCR says. The investigation revealed that Cornell failed to implement any written policies and procedures required by the HIPAA Privacy Rule, and failed to provide training on policies and procedures to its workforce.
OCR initiated its compliance review and investigation of Cornell just two days after receiving the notification, pointed out New York City-based associate attorney Jordan Cohen in an April 29 analysis for the law firm Mintz Levin PC.
Consequences: As a result of the investigation and compliance review, Cornell agreed to a settlement and Resolution Agreement with OCR, announced on April 27, in which the pharmacy will pay $125,000 and adopt a Corrective Action Plan (CAP) to correct deficiencies in its HIPAA compliance program. The agreement also requires Cornell to develop and implement a comprehensive set of policies and procedures to comply with the HIPAA Privacy Rule, as well as develop and provide staff training.
Look out: Recent fines are likely to pale in comparison to fines that OCR will levy in the future, but “the resolution amounts remain wildly unpredictable,” said attorney Matt Fisher, co-chair of Mirick O’Connell’s Health Law Group in an April blog posting. “It will be a safe bet that any problems found in an audit will result in higher fines being assessed” — which is all the more reason to get your HIPAA compliance in order right now, rather than having an audit uncover deficiencies.
Pitfall: Although there has been intense focus in the healthcare industry on securing electronic forms of PHI and medical records, paper records are still highly vulnerable. “While not as easily transferrable as its digital counterpart, the information in paper-based medical records remains extremely lucrative in the black market,” warned partner attorney Laurie Cohen in a blog posting for the law firm Nixon Peabody LLP. Experts estimate that an individual’s medical data can fetch as much as 10 times the value of a credit card number.
You can expect “increasing scrutiny given this lucrative black market as well as the recent high-profile breaches at various health insurance companies across the United States,” Cohen predicted.
Lesson learned: “This most recent settlement underscores HHS’ commitment to enforcement of the Privacy Rule no matter the size of the covered entity,” cautioned attorneys Bruce Armon and Karilynn Bayus of Saul Ewing LLP in an April 30 analysis published in the JDSUPRA Business Adviser. “All covered entities and business associates should ensure they have current and compliant HIPAA privacy and security policies in place, have active training programs for members of their workforce, and remain vigilant in protecting PHI in their possession.”
Links: You can read the Resolution Agreement with Cornell at www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cornell.html. HHS also released an FAQ document on the disposal of PHI: www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.