On April 22, 2015, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $125,000 settlement with a single location pharmacy to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). OCR initiated a compliance review and investigation of Cornell Prescription Pharmacy after receiving notice from a third party that the Pharmacy improperly disposed of documents containing the unsecured Protected Health Information (PHI) of 1,610 patients. This improper disposal of patient records constituted a breach of the rules promulgated by HIPAA. However, the Pharmacy’s failure to reasonably safeguard PHI was only one factor that contributed to the disciplinary action taken by the government.
After receiving complaints alleging violations of the HIPAA rules, HHS is granted the authority to conduct compliance reviews and investigations of the subject Covered Entities and Business Associates. Following Cornell Prescription Pharmacy’s breach of PHI, HHS’ investigation determined that the Covered Entity neither implemented written policies and procedures to comply with the HIPAA Privacy Rule, nor did it provide training to its workforce to appropriately ensure compliance. The failure of the Covered Entity to have an established HIPAA Plan and training program contributed greatly to the Pharmacy’s settlement agreement and mandatory corrective action plan.
A breach of protected health information can result in a variety of ways, often as a consequence of actions that are beyond a Covered Entity’s control, such as theft. However, while a breach of PHI may constitute a violation of HIPAA in itself, frequently the subsequent investigation by OCR uncovers deficiencies in a Covered Entity’s compliance with applicable HIPAA rules. The deficiencies detected by OCR often result in more severe sanctions for the Covered Entity than the breach that triggered the investigation.
Pharmacies handle a vast amount of PHI and therefore require rather robust policies and procedures to assure compliance with HIPAA rules and the avoidance of costly regulatory sanctions. Lack of awareness of the vulnerability of PHI, and the frequent opportunities for breaches to occur, can lead to costly fines. Tasks that are taken for granted, such as disposing of medication containers with patient labels still affixed or the loss of a portable electronic device containing PHI, can prove costly for pharmacies.
Contact Frier Levitt for more information on developing a comprehensive HIPAA plan that will both act to prevent any controllable breach, as well as protect your pharmacy in the event of an OCR investigation.
