Denver Pharmacy Ignores HIPAA Privacy Rule, Fined $125K

Cornell Prescription Pharmacy, a small, single-location business in Denver, will pay a $125,000 settlement fine and adopt a corrective action plan for failure to comply with the HIPAA privacy rule since its compliance date in 2003.

The pharmacy reached a resolution agreement with the HHS Office for Civil Rights after local media in Denver reported that paper records containing protected health information for 1,610 patients was disposed of in an open container on the premises.

Also See: New HHS Meaningful Use Security Audits: What You Need to Know

“Evidence obtained by OCR during its investigation revealed Cornell’s failure to implement any written policies and procedures as required by the HIPAA Privacy Rule,” according to an OCR announcement. “Cornell also failed to provide training on policies and procedures to its workforce as required by the Privacy Rule.”

The sanction against the pharmacy is the 24th resolution agreement with a civil monetary penalty that OCR has imposed on organizations that demonstrated blatant disregard for the HIPAA privacy and security rules. It is the first such action taken in 2015 following six settlements in 2014. The resolution agreement and corrective action plan are available here.

For reprint and licensing requests for this article, click here.