HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Apr
28

OCR fines Denver pharmacy $125,000 for HIPAA breach

Email This Post Print This Post

rep02The HHS Office for Civil Rights (OCR) entered into a $125,000 resolution agreement March 15 with Cornell Prescription Pharmacy (CCP) in Denver for HIPAA violations.

OCR received a media report January 11, 2012, indicating that CCP disposed of PHI in a publicly accessible dumpster. OCR began investigating CCP January 13, 2012, and notified the covered entity of the investigation February 27, 2012. The resolution agreement states that CCP failed to do the following:

  • Reasonably safeguard PHI
  • Implement written policies and procedures for compliance with the HIPAA Privacy Rule
  • Provide and document HIPAA Privacy Rule training for workforce members since the compliance date of the rule

In addition to agreeing to the civil monetary penalty, CCP also agreed to do the following as part of the resolution agreement with OCR:

  • Develop, maintain, and revise written policies and procedures to comply with federal privacy standards
  • Provide copies of policies and procedures to OCR for review and approval
  • Adopt and implement policies and procedures within 30 days of OCR approval
  • Distribute policies and procedures to workforce members within 30 days of OCR approval
  • Require workforce members to sign policies and procedures indicating that they have read, understand, and will abide by them
  • Assess, update, and revise policies and procedures annually
  • Restrict workforce members from the use or disclosure of PHI if they have not signed the policies and procedures
  • Train workforce members on the new policies and procedures within 30 days of implementation
  • Notify HHS/OCR of any future reportable breaches within 30 days of conducting an internal investigation
Categories : Breach Notification, HHS, OCR

Leave a Reply