A small Denver pharmacy agreed to a $125,000 settlement with the U.S. Department of Health and Human Services (HHS) after HHS alleged that the pharmacy failed to dispose of paper records that contained patient information in accordance with HIPAA.

According to the Resolution Agreement, the HHS Office for Civil Rights (OCR) received a report from a local news station that the pharmacy disposed of paper records with protected health information (PHI) in a dumpster that was accessible to the public.  The Resolution Agreement also alleges that the pharmacy failed to implement written policies and procedures to comply with HIPAA, nor did the pharmacy train its workforce as to proper HIPAA protocols and procedures for handling of PHI.

The settlement illustrates the need for covered entities and business associates to ensure that records and documents, both paper and electronic, are maintained and disposed of in a secure manner.  HIPAA requires covered entities and business associates to protect the privacy and security of PHI in any form, including by implementing reasonable physical, administrative, and technical safeguards.  In a Frequently Asked Questions document about disposal of information, HHS notes that, while HIPAA does not mandate any particular method of disposal, “covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”

Furthermore, the settlement should remind covered entities and business associates of all sizes of the importance of implementing proper written policies and workforce training in compliance with HIPAA.