Pharmacy Fined $125,000 for Breach

April 28, 2015

By Marianne Kolbasuk McGee, April 27, 2015.

Paper Patient Records Not Properly Destroyed

A small Denver compounding pharmacy has been slammed with a $125,000 federal penalty for a 2012 breach involving improper disposal of paper patient records. It’s the second such HIPAA enforcement action within a year by federal regulators tied to an incident involving records dumping by a covered entity.

In an April 27 statement, the Department of Health and Human Services’ Office for Civil Rights says Cornell Prescription Pharmacy has agreed to a HIPAA settlement that includes the $125,000 penalty and calls for adopting a corrective action plan to correct deficiencies in its compliance program.

Cornell is a single-location pharmacy that specializes in compounded medications and related services for hospice care agencies in the region.

Proper PHI Disposal

“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” says OCR Director Jocelyn Samuels. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”

OCR launched a compliance review and investigation in February 2012 after the agency received notification from a Denver news outlet regarding the disposal of unshredded documents containing the protected health information of 1,610 patients in an unlocked, open container on Cornell’s premises.

OCR’s investigation determined Cornell failed to implement any written policies and procedures as required by the HIPAA Privacy Rule. The pharmacy also failed to provide training on policies and procedures to its workforce as required by HIPAA, OCR says.

Similar Cases

OCR last June approved an $800,000 HIPAA settlement with Parkview Health System, an Indiana-based community health system, tied to an incident involving paper records dumping. In that case, the organization was cited for leaving 71 cardboard boxes of medical records on thousands of patients unattended and accessible to unauthorized persons on the driveway of a retiring physician’s home (see $800,000 Penalty for Paper Records Breach).

An in addition to the Parkview case, OCR has issued hefty settlements for several other breaches involving improper disposal of PHI.

“The latest OCR settlement is almost identical to 2009 and 2010 settlements against CVS and Rite Aid over the pharmacies allegedly dumping protected health information in publicly-accessible waste containers,” says privacy attorney Adam Greene of law firm Davis Wright Tremaine.

“In both of those cases, as in the current case with Cornell Prescription Pharmacy, the OCR investigation was triggered by a local television news report identifying the issue at local pharmacies,” Greene notes. “In response to the CVS and Rite Aid cases, OCR issued specific guidance on properly disposing of protected health information. Apparently, when OCR learned of a news report indicating that a pharmacy was not heeding this guidance, OCR determined that an additional settlement was needed.”

Covered entities and business associates should closely track OCR settlement agreements “and ensure that any similar issues are addressed within your own organization,” Greene stresses.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he’s surprised there haven’t been even more such enforcement actions by OCR for these kinds of improper disposal cases.

There have been approximately 30 large breaches since April 2011 that have involved covered entities or business associates that failed to make paper or printed PHI unreadable or indecipherable, “such as by shredding into itty-bitty pieces,” says Holtzman, who was a senior adviser at OCR prior to joining CynergisTek in 2013. “This [latest] case represents a drop in the bucket.”

Corrective Action Plan

As part of its resolution agreement with OCR, Cornell has agreed to implement a corrective action plan that includes developing, maintaining and revising, as necessary, written policies and procedures to comply with the HIPAA Privacy Rule and submitting documentation of those policies and procedures to OCR for its review and approval.

The policies and procedures must include administrative and physical safeguards for the disposal of all non-electronic PHI, including those records being “shredded, burned, pulped or pulverized so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.”

The pharmacy also agreed to distribute those policies and procedures to all members of its workforce within 30 days of OCR approving them and to also issue those policies and procedures to new members of the workforce within 30 days of their beginning of service.

In addition, the pharmacy agreed to provide its workforce HIPAA privacy training and to report violations of its privacy policies and procedures by its workforce to OCR.

More Settlements Soon?

Some privacy and security experts believe the resolution agreement with Cornell could be the first of several additional enforcement actions in the works at OCR for 2015, including cases involving other examples of HIPAA non-compliance.

“This is likely the beginning of a more active phase of OCR enforcement that we have been anticipating,” Holtzman says. “I believe that OCR has been investigating a number significant investigations and compliance reviews, many resulting from breaches reported to HHS.”

Holtzman adds: “I do not believe that OCR limits itself to reserving its enforcement resources to a predetermined checklist or agenda prioritizing one type of incident over another.”

In a recent interview with Information Security Media Group, Greene also predicted that OCR will likely announce a number of eye-popping financial settlements for HIPAA violations later this year (see Could Big HIPAA Settlement be Coming?).

View original article…

Recycle Your E-Waste

April 22, 2015

Electronic waste, or “e-waste,” is a term used to describe any electronic device that is outdated, obsolete, broken, donated, discarded, or at the end of its useful life. This includes cell phones, computers, laptops, PDAs, monitors, televisions, printers, scanners, and any other electrical device.

With the rapid expansion of technology, combined with the relatively short shelf life of many present day electronic devices, more and more e-waste is generated each year. Often, these discarded devices end up in landfills or are incinerated, which can cause major environmental problems in our communities.

Many of the materials found in electronic devices are extremely hazardous. These include lead, mercury, and cadmium. When these electronics end up in landfills, many of these chemicals leach into the soil during rainfall or are released into the atmosphere when burned. These chemicals can have dangerous impacts on the health of plants and animals and when inhaled can lead to serious respiratory problems. Fortunately, the simple solution to limiting the dangerous effects of careless e-waste disposal is safe and responsible recycling.

Each year, the United States alone produces up to 50 million tons of e-waste. Of this, only 20-25% is recycled safely and responsibly. The other 75% ends up in landfills. As a direct consequence, hazardous materials found in this waste routinely contaminate our air and water supplies. By safely and responsibly recycling your e-waste, you can help protect your community and the ecosystem from these dangerous chemicals.

Learn more about our process

Read full article…

Get Your Green on At Work: Earth Day

April 17, 2015

by Vanessa L. Goddard, April 13th, 2015

Celebrate Earth Day (April 22) year-round with these green workplace ideas. A few of these changes may only be able to be implemented one day a year. Others might be things you can work up to doing once a month, or even eventually once a week. There may even be a few suggestions on this list you can start now and make a lifelong practice of your business or workplaces.

Saving Energy

We’ve all seen the energy efficient light bulbs at the store. If you’re not using them, you should be. EnergyStar.gov states that, if every American replaced one regular bulb with an Energy Star efficient bulb, greenhouse gas emissions would be reduced by 9 billion pounds – the equivalent of emissions from 800,000 cars! So, this Earth Day, try making the switch to compact fluorescent (CFL) bulbs where feasible in the workplace.

Better still, turn stuff off at the end of the day. Then, unplug it. This goes for computers, coffee makers, fax machines, copiers, and any other electronics you have around the office. Not only will this save electricity – it can save big bucks. You can make this easier by investing in power strips so you can save money and the environment with the flip of a switch.

For workspaces with windows, implement some lights-out time during the sunniest part of the day. Natural sunlight not only will reduce your power bill and save electricity, opening those blinds and soaking in the Sun’s Vitamin D will raise your employees’ spirits.

Experiment with changing the thermostat by one degree (up or down depending upon the season) to conserve energy.

Saving The Environment

For this Earth Day, have your employees work together to use less energy for their commute to work. For those who live close by, walking and biking are great ways to save energy, reduce greenhouse gas emissions, and get a little exercise to boot. If you offer telecommuting, make that option available this Earth Day. Have your employees organize a carpool or take public transportation that day. You might find you can adopt this practice for more than simply one day a year.

If your office hasn’t made the switch to recycling, start a new habit on April 22nd. If you’ve already transitioned to recycle bins, take the next step in your recycling program by switching to recycled paper products, like copy paper and towels. If your whole office can’t make the switch but you recycle at home, commit to saving your own cans, cardboard boxes, and glass bottles to take home for the recycle bin.

Other habits you can start this Earth Day to make a difference include refilling your water bottle for a week or bringing re-usable water bottles and coffee mugs to work. Pack your lunch one day a week. Not only will you cut down on waste such as Styrofoam take-out packaging and plastic flatware, you’ll save a little coin too. Some folks are bringing personal hand towels to work to cut down on paper waste. There are fast-drying towels on the market now which are sized perfectly for purses or bags. Can you go paperless for a day? How about using both sides of the paper for one day? Start little, but think big.

Go Green – Literally

Add plants to your workspace. Folks, there is no down side to this suggestion. Plants are an inexpensive way to beautify the workplace, keep the air clean, and lower stress. Plants generate fresh oxygen and soak up a lot of bad stuff you didn’t even realize you’re breathing. NASA compiled a list of plants that are the best at removing toxins from the air – things like formaldehyde and benzene – that may be found in furniture, dry cleaning, inks, cleaners, plastics, detergents, etc. So, consider adding these beauties to your workplace:

• Aloe Vera: It needs a sunny spot, but it also removes toxins and is good for cuts and burns.
• Spider plant: This plant is hard to kill – a prime choice for the black thumb who loves plants.
• Peace lily: These lovelies can grow with just indoor light and once-a-week watering.
• English ivy: You should look up what this removes from the air. You’ll thank me. I plan to buy 10.
• Bamboo palm: This plant thrives in the shade and can live in water if you choose to do it that way.

I recommend you check out NASA’s complete list to find the plants perfect for your office space. So, this Earth Day, April 22nd, go do something green. It’s easier than you think. If you have any suggestions for going green at the office, I’d love to hear your views.

Go to original article…

HIPAA Compliance Audits Remain on Hold

April 16, 2015

OCR Official Describes New Guidance in the Works

By Marianne Kolbasuk McGee, April 15, 2015.

After a three-year delay, federal regulators remain tight-lipped about when the next round of HIPAA compliance audits will begin. But a variety of new HIPAA-related guidance is in the works, a government official says.

During an April 15 session at the HIMSS 2015 Conference in Chicago, a regional official from the Department of Health and Human Services’ Office for Civil Rights told attendees the next phase of the random HIPAA audit program “is under development.” Attorney Alessandra Swanson, an OCR team leader from the agency’s Chicago office, declined to say whether there’s a potential timeline for when OCR expects to kick off the next round of HIPAA audits, or what the program might look like.

OCR, which enforces HIPAA, had hoped to kick off phase two of its compliance audit program last fall, but officials last September revealed the program was being delayed. The culprit blamed at the time: technology that the agency said was still being rolled out at the agency that will allow OCR to collect audit-related documentation from covered entities and business associate via a Web portal (see HIPAA Compliance: What’s Next?).

OCR also had a change in leadership last year. In July, Jocelyn Samuels was named the office’s new director. Samuels, who was formerly acting assistant attorney general for the Civil Rights Division at the U.S. Department of Justice, replaced Leon Rodriguez, who was named director of U.S. Citizenship and Immigration Services, a unit of the Department of Homeland Security.

Privacy attorney Adam Greene, a partner at the law firm Davis Wright Tremaine, told Information Security Media Group in an interview at the HIMSS Conference that he believes the delay in various OCR enforcement activities, including the audit rollout, could be related to tight OCR resources, as well as the new leadership settling in.

But OCR appears to be staffing up for the audit program. In an announcement posted last week by HHS, the agency said it had open a “compliance specialist – auditing” position available within its Washington headquarters.

“This position serves as the senior auditing subject matter expert who provides leadership, oversight, coordination and advice necessary to design, plan and execute an audit program of covered entity and business associate compliance with the HIPAA privacy, security and breach notification rules,” the job posting said.

OCR officials in recent months have said the agency also is working on updating its audit protocol for covered entities and creating a new audit protocol for business associates. BAs became directly liable for compliance under the HIPAA Omnibus Rule last year and are subject to OCR enforcement actions, including financial penalties that range up to $1.5 million per HIPAA violation.

Other Activities

In addition to preparing for resuming the random HIPAA compliance audit program, OCR is working on new guidance, including material relating to business associates; the breach notification rule as well as a breach assessment tool; the use of protected health information for marketing; the “minimum necessary” standard for data; and HIPAA Security Rule compliance updates, Swanson says.

In addition, OCR is continuing breach investigations and rule-making.

“Our goal is, and has always been to get entities into compliance,” Swanson says. “I know that our enforcement cases get a lot of attention, but when you look at the number of enforcement cases versus those that are resolved with technical assistance and corrective actions, you’ll see that we always try to go the compliance route first. “We’re interested in getting everyone into compliance; we’re not out there trolling for enforcement cases.”

OCR is anticipating receiving 15,000 to 17,000 HIPAA complaints in 2015, she says. All health data breaches affecting more than 500 individuals are investigated by the agency, she says. Although there have been no enforcement actions involving monetary settlements with business associates, Swanson says the agency is current investigating a number of breaches involving BAs.

Read full article…

Former Therapist Charged in HIPAA Case

April 10, 2015

Faces Charges Tied to Inappropriate Access to Records

By Marianne Kolbasuk McGee, April 9, 2015.

A former respiratory therapist at an Ohio hospital has been indicted for HIPAA violations in connection with alleged inappropriate access to the records of nearly 600 patients.

The indictment of Jamie Knapp, who had formerly worked at ProMedica Bay Park Hospital in Oregon, Ohio, is one of only a handful of criminal prosecutions of individuals for HIPAA violations.

“Overall, criminal prosecutions under HIPAA have not been that common, although we have seen an increase in recent years,” says privacy attorney Scot Ganow of the law firm Faruki Ireland & Cox PLL. “I do expect us to see more prosecutions as the interest in healthcare information increases for a variety of purposes, including identity theft, cyberstalking, public shaming and celebrity watching.”

According to indictment documents filed this month in a federal court in Ohio, a grand jury indicted Knapp for unlawfully obtaining identifiable health information of 596 patients in violation of HIPAA. The grand jury also charged Knapp with unauthorized access of a protected computer, in violation of federal laws.

“In her capacity as a respiratory therapist, Knapp was authorized to access individually identifiable health information and protected health information of certain respiratory patients,” according to the indictment. “Knapp was not authorized to access the individually identifiable health information and protected health information of other hospital patients.”

Federal prosecutors involved in the case did not immediately respond to Information Security Media Group’s request for more details about the alleged HIPAA violations.

Accessing protected health information without authorization and the disclosure of this information to a third party carries a jail term of up to 10 years in addition to a maximum fine of $500,000 if the disclosure is made for personal gain, Ganow says.

On May 28, 2014, ProMedica, the parent company of the 72-bed hospital where Knapp worked, began notifying the affected patients that their records were inappropriately accessed between April 1, 2013, and April 1, 2014 (see Police Investigating Insider Breach). The breach was also reported to the U.S. Department of Health and Human Services, which has listed the incident on its “wall of shame” website of major breaches as an unauthorized access/disclosure incident involving electronic medical records and a network server.

Other HIPAA Cases

There have been only a handful of other HIPAA-related indictments of individuals that have resulted in convictions and prison sentences.

“Most recently, we saw the criminal conviction of hospital employee Joshua Hippler in Texas for wrongful disclosure of individually identifiable health information for personal gain,” Ganow notes. In February, Hippler was sentenced to serve 18 months in prison after pleading guilty on Aug. 28, 2014, to wrongful disclosure of individually identifiable health information (see Prison Term in HIPAA Violation Case).

Federal prosecutors say that from December 2012 through January 2013, Hippler was an employee of an unidentified East Texas hospital, where he obtained protected health information with the intent to use it for personal gain.

In another case in October 2013, Denetria Barnes, a former nursing assistant at a Florida assisted living facility, was sentenced to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information.

Ganow predicts prosecutors will pursue more of these criminal HIPAA cases. “As long as the healthcare industry continues to actively use Social Security numbers and not take steps to redact them or commit to a minimum use policy, we will see increased criminal activity and related prosecutions,” he says. “Because healthcare records have names, dates of births and SSNs, they are a tempting target for one-stop shop identity thieves. ”

Still, there are steps that healthcare entities can take to minimize insider breaches.

“It’s not enough to have your policies, procedures and safeguards in place. You have to continually assess your security posture for new threats or new risks as a result of a new use of information,” he says.

Read full article…

It’s Earth Month!

April 1, 2015

Today is the beginning of Earth Month!

Yes, I said that right, Earth Month. Although some people only recognize Earth Day, on April 22nd, we want to encourage everyone to celebrate our Earth everyday. We understand that a lot of people don’t know what they can or should recycle, how they can reduce or reuse items they’d otherwise throw away, or the human and environmental health risks those certain items are causing when not properly disposed of. We are here to help make the world a better place and show that you can help too. Join us in making Earth Day/Month into part of your everyday lives because here at Maxxum, everyday is an Earth Day. Let’s celebrate!

Keep checking back with us to see how we’re changing the world and how you can help.

We work with customers to dispose of and recycle technology.

Search Blog

Categories

Archives

Monthly Archives: April 2015

Pharmacy Fined $125,000 for Breach