While this is not a new case, it serves as a good reminder that even a small healthcare provider is subject to potential monetary penalties under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Cornell Prescription Pharmacy was a small compounding pharmacy in Denver. A complaint was filed with the Office for Civil Rights (OCR) – which is a branch of US Department of Health and Human Services with HIPAA enforcement functions  – that the pharmacy allegedly discarded hardcopies of prescriptions and dispensing records without shredding such documents. These documents – containing protected health information (PHI) of 1,610 patients – were stored in an unlocked open container on the pharmacy’s premises. The OCR conducted an investigation and confirmed that such records were jeopardized and that the pharmacy failed to implement HIPAA policies and procedures. Due to this findings and to avoid further cost of defense, the pharmacy and OCR agreed on a $125,000 settlement and a corrective action plan requiring the pharmacy to implement proper HIPAA policies and procedure, and to train its staff on compliance with HIPAA and other privacy laws.

While we have previously reported larger HIPAA settlements with chain pharmacies, this is the only case and investigation that we are aware of involving a small independent pharmacy. Our other relevant blog posts: “OCR increases HIPAA audits,” “When was the last time you trained your workforce on HIPAA? Penalties for non-compliance have increased.”

We have prepared HIPAA policies and procedures specifically tailored to independent pharmacies. We also assist with training your pharmacy staff regarding HIPAA and relevant privacy laws. You can access our policies here or contact our office for custom policies and training.