A tiny Colorado pharmacy breaches Privacy Rule and pays big bucks.
When it comes to the Privacy Rule, being small is no defense.
A tiny, single-location pharmacy was hit with a big federal fine when protected health information was discovered in a bin, visible to anyone.
The Privacy Rule holds big and small businesses to the same standard
Cornell Prescription Pharmacy, a Denver, Colorado, druggist providing walk-in retail services to the public, paid a $125,000 penalty after a local news crew reported patient health data in a public space at pharmacy.
Upon investigation, the Office for Civil Rights (OCR) discovered that 1,610 patients’ protected health information (PHI) had been placed in an unlocked, open container on Cornell’s premises.
The OCR is the investigative agency of the U.S. Department of Health and Human Services responsible for investigating Health Insurance Portability and Accountability Act (HIPAA) violations.
The documents had not been shredded and contained personally identifiable details in violation of the HIPAA Privacy Rule, which is the part of the law that prohibits unauthorized access to patient medical information.
Patient Data Breach leads to more Privacy Rule violations.
During its investigation, the OCR also discovered Cornell had failed to train employees in the Privacy Rule standard practices, as required by HIPAA rules.
In addition to the $125,000 settlement, Cornell was forced to follow the details of a resolution agreement. The details of the resolution agreement include comprehensive employee privacy training and a plan to follow the HIPAA Privacy Rule.
How would you fare in a Privacy Rule investigation?
Look around your office. Look in your trash bins and around the copier. Is protected patient health information within view or reach of unauthorized people?
Remember, if a single pharmacy can be targeted in a HIPAA Privacy Rule Breach investigation, so can you.
We can help.