Don’t Forget the Paper: Records and Policies

By Matt Fisher, Esq
Twitter: @matt_r_fisher

Another HIPAA breach settlement announcement and another lesson from the Department of Health and Human Services Office for Civil Rights (“OCR”). Cornell Prescription Pharmacy (“Cornell”) is a single location pharmacy located in Colorado that will pay OCR $125,000 to resolve allegations of a variety of HIPAA violations. When the facts of the circumstances are described, it will likely raise questions as to why the settlement was so low.

The issues at Cornell were revealed to OCR by a local new station. The news station found paper-based protected health information disposed of in unsecure dumpster generally accessible to the public. After receiving the report, OCR investigated Cornell. OCR’s investigation revealed that Cornell had no written policies in place to implement the HIPAA Privacy Rule, no training regarding Privacy Rule requirements was conducted, and protected health information was not reasonably safeguarded.

Despite all of these findings, as indicated above, Cornell only faces a $125,000 settlement amount in addition to the usual requirement to enter into a corrective action plan. It is interesting to note that on April 27, 2015 when the settlement was announced, the first Resolution Agreement posted showed a resolution payment of $767,520. No information has been provided to explain the reduction. One possible answer is that Cornell is a very small entity and may not have been able to afford the higher resolution amount. It would be beneficial to monitor for more information on this account.

As set forth in the settlement announcement, OCR wants every entity to know that it may be subject to HIPAA enforcement, including fines and penalties. A quote from OCR Director Jocelyn Samuels says it all: “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other container that are accessible by . . .unauthorized persons.” It is incumbent upon all organizations to implement appropriate policies and procedures to satisfy HIPAA requirements.

One of the more stunning aspects of the Cornell settlement was the revelation that Cornell had no written policies or procedures to comply with the Privacy Rule. This is slightly different from other settlements where OCR found inadequate or non-existent security policies. Arguably, privacy policies are easier to implement because the Privacy Rule provides a pretty comprehensive and clearcut guide with regard to what policies and procedures need to be put into place. Additionally, there is not a need to do an equivalent of a risk analysis to determine what security policies to put into place.

While the statement about no policies being in place should be shocking, multiple surveys recently have found that a lack of knowledge about HIPAA is still fairly widespread. HIPAA in its original form has been around for almost 20 years at this point. Why is it that organizations still do not know what they need to do to comply? Is it unintentional lack of awareness or something more deliberate? No matter the reason, the government is clearly monitoring and looking for organizations that are not in compliance. The resolution amounts remain wildly unpredictable, but many statements have suggested that recent fines will pale in comparison to fines that will be levied in the future. It is better for organizations to get their houses in order at this point rather than having an audit uncover deficiencies. It will be a safe bet that any problems found in an audit will result in higher fines being assessed.

About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.