The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), proved once again that all covered entities must comply with HIPAA, regardless of the size of the organization.
Cornell Prescription Pharmacy (Cornell), a single location, compounding pharmacy located in Denver, Colorado, has agreed to settle potential HIPAA violations, in OCR’s latest Resolution Agreement. In this Agreement, Cornell will pay a resolution amount of $125,000. That’s quite a hefty price tag for a small covered entity like Cornell. But, it reminds all covered entities and business associates that HIPAA applies to, and affects, organizations equally.
OCR conducted an initial compliance review and investigation after it received notification from a local Denver news station that Cornell was disposing of unsecured documents containing protected health information (PHI). The Denver station informed OCR that Cornell was disposing PHI in a dumpster that was accessible to the public.
During OCR’s investigation, OCR found possible violations of the HIPAA Privacy, Security and Breach Notification Rules, including failure to reasonably safeguard PHI, failure to implement written policies and procedures, and failure to train employees on Privacy Rule policies and procedures.
In addition to the Agreement, Cornell entered into a two-year Corrective Action Plan (CAP) with OCR. During the CAP period, Cornell must correct its Corrective Action Obligations. These obligations include, but are not limited to, draft and implement appropriate policies and procedures, train workforce on said policies and procedures, and apply appropriate sanctions.
Don’t be caught off guard in the event your organization should ever come under OCR’s scrutiny. Do you know how you would fare in an OCR investigation, audit or compliance review? Let Clearwater’s experts assess your compliance before OCR does.