A single-location pharmacy based located in Colorado entered a $125,000 settlement with the Department of Health and Human Services Office of Civil Rights (OCR) last week. A Denver news channel notified the OCR that the pharmacy disposed of unsecured PHI of 1,610 patients in an "unlocked, open container" on the pharmacy's premises. The PHI was not shredded.
The OCR investigated and found that the pharmacy:
- lacked HIPAA Privacy policies and procedures
- lacked workforce training on HIPAA Privacy policies and procedures
The OCR made clear that HIPAA applies to all organizations: "Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons," said OCR Director Jocelyn Samuels.
With increasing concern about threats to electronic PHI, such as hackers, mobile device use, software snafus and social media nightmares, some providers might overlook the need to protect paper records. However, this settlement makes it clear that HIPAA's protections for paper records are just as essential as the evolving protections we must keep up with under the Security Rule.