Secure disposal of paper medical records remains a problem

Cornell Prescription Pharmacy recently agreed to settle violations of the HIPAA Privacy Rule with the Department of Health and Human Services ( HHS). Cornell will pay $125,000 and implement a corrective action plan to achieve HIPAA compliance. Cornell is a small pharmacy that provides in-store and prescription services to patients in Denver, Colorado.

A local Denver news station notified HHS about the disposal of unsecured documents containing the protected health information (PHI) of 1,610 patients in an unlocked, open container on Cornell's premises. The documents were not shredded and contained sensitive patient information. HHS learned during its investigation Cornell failed to implement any written policies and procedures as required by the HIPAA Privacy Rule. Cornell also failed to provide training on policies and procedures to its workforce, which is also required by the Privacy Rule. In addition to the $125,000 fine, the agreement requires Cornell to develop and implement a comprehensive set of policies and procedures to comply with the Privacy Rule and develop and provide staff training. OCR offers helpful FAQs concerning HIPAA and the disposal of protected health information.