Another HIPAA Settlement With a Pharmacy for $125,000

The Office of the Civil Rights (OCR) within the US Department of Health and Human Services recebtly settled a HIPAA violation case with a single location compounding pharmacy in Denver, Colorado.  This is yet another HIPAA settlement underscoring the importance of properly implementing and maintaining a compliance plan.

OCR launched a compliance review of the Denver pharmacy after local media reports alerted the agency to improper disposal of protected health information maintained by the pharmacy. Specifically, the media reports alleged that the pharmacy disposed of documents containing protected health information (PHI) into an open dumpster that was accessible to the public without taking steps to render the PHI unreadable or indecipherable.

While the current settlement agreement is not an admission of liability by the pharmacy, OCR’s investigation found that the pharmacy failed to reasonably safeguard PHI and failed to implement any written policies and procedures to comply with the HIPAA Privacy Rule. Under the requirements of the Privacy Rule, the pharmacy also did not provide, and did not document, training of its workforce on its HIPAA Privacy Rule policies and procedures.

As part of the settlement, the compounding pharmacy will have to pay a fine of $125,000 and take corrective action as outlined in the corrective action plan developed by the OCR.

This is not the first nor the largest fine against a pharmacy accused of dumping PHI without rendering it unreadable or indecipherable. In 2009, CVS, the leading national pharmacy chain, settled with OCR and the Federal Trade Commission for $2.25 million after news reports alleged that patients’ records containing personal information and medical history, as well as employment records, including social security numbers and payroll information, from it’s retail pharmacies were being thrown out as trash in open dumpsters without taking steps to render this information unreadable or indecipherable.

If you have questions regarding compliance plans, policies and procedures manuals, HIPAA, or have other health law related questions, please contact our office.