Magazine article Drug Topics

Denver Area Pharmacy Draws HIPAA Privacy Violation

Magazine article Drug Topics

Denver Area Pharmacy Draws HIPAA Privacy Violation

Article excerpt


Settlement with OCR highlights need to meet HIPAA obligations

The Department of Health and Human Services' Office of Civil Rights (OCR) has announced a settlement with a Denver-area pharmacy in a case that centered on violation of HIPAA requirements through disposal of medical records in an unsecure maimer.

In 2012, a local Denver news station notified the OCR that records had been found in open containers on the pharmacy's premises. OCR opened an investigation and discovered intact medical records containing protected health information for more than 1,600 of the pharmacy's patients. The investigation revealed that the pharmacy had failed to safeguard the protected health information of its patients, failed to implement written HIPAA policies, and failed to provide staff with training on its HIPAA policies and procedures.

National privacy standards

All three violations committed by the Denver pharmacy show failure to comply with HIPAA's Privacy Rule, which establishes national standards to protea individuals' medical records and other personal health information. The rule requires safeguards to protect the privacy of personal information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

Although the HIPAA Privacy Rule does not specify how covered entities must dispose of paper documents, it states that facilities "must review their own circumstances to determine what steps are reasonable to safeguard proteaed health information through disposal, and develop and implement policies and procedures to carry out those steps."

The settlement

In addition to the $125,000 fine, the pharmacy is required to adopt a corrective plan that will include the development of a comprehensive HIPA A policies and procedures manual. The procedures are required to include HIPAA training for all pharmacy employees. Each employee must then certify to having received the training, and the pharmacy must review the method and content of the training on an annual basis.

While announcing the settlement, OCR took the opportunity to reiterate the importance of secure disposal of paper medical records.

"Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons," said OCR director Jocelyn Samuels. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.