$125,000 – Still Another 100% Avoidable Fine

There continues to be a steady stream of large settlements with HHS-OCR with recurring theme. They have been avoidable. Of note is a recent $125,000 settlement with a small one-location pharmacy Cornell Prescription Pharmacy in Denver, CO (“The Pharmacy”).

NOTE: Released information indicates that there will be a steady stream of significant settlements in the near future.

The Pharmacy was referred to HHS-OCR by a local investigative TV reporter from 9 News after 1,610 records with PHI were found in an unsecured trash dumpster on the premises. In addition, HHS-OCR documented The Pharmacy’s (1) failure to implement written policies and procedures and (2) failure to provide and document employee training.

The settlement can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cornell/cornell-cap.pdf



This $125,000 fine and Settlement were obviously 100% avoidable. A written and implemented employer-specific comprehensive Compliance Program would have saved The Pharmacy more than $120,000. HHS’s Office of Inspector General’s (OIG) has provided guidance as to what constitutes a Compliance Program. This is consistent with guidance from other departments as well. The seven (7) components include:

  1. Designating a Compliance Officer or Contact
  2. Implementing Written Standards and Procedures (note the requirement to implement!)
  3. Conducting Appropriate Training and Education
  4. Developing Open Lines of Communication
  5. Conducting Internal Monitoring and Auditing
  6. Responding Appropriately to Detected Offenses and Developing Corrective Action
  7. Enforcing Disciplinary Standards through Well-Publicized Guidelines

Selected questions to ask yourself.

  1. Where were the Privacy Officers?
  2. With cost-effective online role-specific training available, why weren’t employees trained? This event is also a great example of why employee training is not appropriate for Privacy Officers. Privacy Officers require different information and one size does not fit all. (Go to HIPAA-Consultants.com for more information about available role-specific learning.) A training sub-policy is one of the core 30+ pieces to the Compliance Program.

HIPAA-Consultants.com can help you cost effectively address your Compliance Program. To arrange a no-cost no-obligation limited scope review (12 items) to “get a sense of your compliance”, send an email to info@HIPAA-Consultants.com or call (305) 253-5932. Feel free to contact me with any comments or questions. I’m here to help.