Health Information Compliance Alert

Published on Thu May 14, 2015 PDF

Beware: Paper medical records are a hot commodity on the black market.

If you have any cracks in your HIPAA compliance, you could face huge fines in a HIPAA audit. Also, news outlets are keeping a close watch on healthcare entities to find any missteps, too. Here’s the latest HIPAA violation case that illustrates just that.

News Outlets are Waiting for You to Slip Up

Background: After receiving notification from a local Denver news outlet, the HHS Office for Civil Rights (OCR) opened a compliance review and investigation of Cornell Prescription Pharmacy. Specifically, the news outlet notified OCR that Cornell disposed of unsecured documents containing the protected health information (PHI) of 1,610 patients in an unlocked, open container on the pharmacy’s premises.

According to OCR, Cornell is a small, single-location pharmacy that provides in-store and prescription services in the Denver metropolitan area, specializing in compounded medications and services for local hospice care agencies.

Cornell did not shred the documents, which contained identifiable information regarding specific patients, OCR says. The investigation revealed that Cornell failed to implement any written policies and procedures required by the HIPAA Privacy Rule, and failed to provide training on policies and procedures to its workforce.

Consequences: As a result of the investigation and compliance review, Cornell agreed to a settlement and Resolution Agreement with OCR, announced on April 27, in which the pharmacy will pay $125,000 and adopt a Corrective Action Plan (CAP) to correct deficiencies in its HIPAA compliance program. The agreement also requires Cornell to develop and implement a comprehensive set of policies and procedures to comply with the HIPAA Privacy Rule, as well as develop and provide staff training.

What to Expect from HIPAA Settlement Amounts

Despite being in the six-figure range, some industry experts are questioning why the settlement amount was so low. In fact, the first Resolution Agreement with Cornell showed a payment of $767,520, but now Cornell faces only a $125,000 settlement amount, according to an April 29 blog posting by attorney Matt Fisher, co-chair of Mirick O’Connell’s Health Law Group. 

“No information has been provided to explain the reduction,” Fisher noted. “One possible answer is that Cornell is a very small entity and may not have been able to afford the higher resolution amount.”

Caveat: Cornell is still vulnerable to additional significant fines, however. If during the next two years OCR finds that Cornell is in breach of the CAP or the terms of the Resolution Agreement, OCR could impose additional civil monetary penalties on the pharmacy, noted partner attorney Laurie Cohen in a May 4 blog posting for the law firm Nixon Peabody LLP. 

Look out: And recent fines may likely pale in comparison to fines that OCR will levy in the future, but “the resolution amounts remain wildly unpredictable,” Fisher said. “It will be a safe bet that any problems found in an audit will result in higher fines being assessed” — which is all the more reason to get your HIPAA compliance in order right now, rather than having an audit uncover deficiencies.

Total HIPAA Noncompliance More Prevalent Than You Might Think

In addition to the reduced fine, another surprising revelation in the Cornell case is the fact that the pharmacy had no HIPAA policies or procedures in place. But Cornell is shockingly not alone in this — “multiple surveys recently have found that a lack of knowledge about HIPAA is still fairly widespread,” despite HIPAA being around for nearly 20 years, Fisher pointed out. 

Whether noncompliance is due to an unintentional lack of awareness or something more deliberate is unclear. “No matter the reason, the government is clearly monitoring and looking for organizations that are not in compliance,” Fisher warned. 

And the speed at which OCR responded to the notification from the Denver news outlet about the improperly discarded records is also a bit of an eye-opener — OCR initiated its compliance review and investigation of Cornell just two days after receiving the notification, pointed out New York City-based associate attorney Jordan Cohen in an April 29 analysis for the law firm Mintz Levin PC.

Beware: The Cornell agreement is likely only the tip of the HIPAA enforcement iceberg. “Recent news reports and rumors indicate that HHS is just ramping up its enforcement work on HIPAA, and this may be only the first indication of a coming flood of settlement agreements for HIPAA violations,” warns Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems LLC in Charlotte, VT.

Safeguard Your Paper Records — They’re Black Market Gold

Pitfall: Although there has been intense focus in the healthcare industry on securing electronic forms of PHI and medical records, paper records are still highly vulnerable. “While not as easily transferrable as its digital counterpart, the information in paper-based medical records remains extremely lucrative in the black market,” Cohen warned. Experts estimate that an individual’s medical data can fetch as much as 10 times the value of a credit card number.

You can expect “increasing scrutiny given this lucrative black market as well as the recent high-profile breaches at various health insurance companies across the United States,” Cohen predicted.

Lesson learned: “This most recent settlement underscores HHS’ commitment to enforcement of the Privacy Rule no matter the size of the covered entity,” cautioned attorneys Bruce Armon and Karilynn Bayus of Saul Ewing LLP in an April 30 analysis published in the JDSUPRA Business Adviser. “All covered entities and business associates should ensure they have current and compliant HIPAA privacy and security policies in place, have active training programs for members of their workforce, and remain vigilant in protecting PHI in their possession.” 

Links: You can read the Resolution Agreement with Cornell at www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cornell.html. HHS also released an FAQ document on the disposal of PHI: www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.