No HIPAA risk assessment, no HIPAA written policies and procedures, and no HIPAA training equals “willful neglect” and earned a $125,000 HIPAA fine for a Colorado compounding pharmacy.
Flying under the HIPAA radar is something being practiced by a lot of covered entities and business associates. Sometimes you run into a mountain called the Office of Civil Rights (OCR) which is the enforcement arm of Health and Human Services (HHS). The investigation can be triggered by a number of things; a whistleblower, a patient complaint, a breach, an audit by a state attorney general, or just an audit by a business partner or client. In this case it was a news agency that discovered 1610 un-shredded paper patient records or PHI in a dumpster.
The investigation revealed that they had completely ignored HIPAA regulations thus triggering the “willful neglect” designation. This can be punished by up to $1.5 million per incident per year so while $125,000 was a lot for a small pharmacy it could have been a lot worse. In fact it actually is worse than the $125,000 because studies have shown that over 60% of patients will leave a healthcare organization that has a breach.
If this pharmacy had been a client of Compliance Helper and ACR2 Solutions they would have had the Cycle of Compliance in place which would have provided them with a HIPAA risk assessment meeting the NIST standards, written policies and procedures tailored to their organization, access to a HIPAA expert, and on-going training and awareness for their staff based on their policies and procedures. The cost would have been around $200 per month. You do the math.