Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
  • Big Wins
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom
Breadcrumb
  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. HIPAA Compliance and Enforcement
  5. Case Examples
  6. Cornell
  7. Cornell Press Release
  • HIPAA for Professionals
  • Regulatory Initiatives
  • Privacy
    • Summary of the Privacy Rule
    • Guidance
    • Combined Text of All Rules
    • HIPAA Related Links
  • Security
    • Security Rule NPRM
    • Summary of the Security Rule
    • Security Guidance
    • Cyber Security Guidance
  • Breach Notification
    • Breach Reporting
    • Guidance
    • Reports to Congress
    • Regulation History
  • Compliance & Enforcement
    • Enforcement Rule
    • Enforcement Process
    • Enforcement Data
    • Resolution Agreements
    • Case Examples
    • Audit
    • Reports to Congress
    • State Attorneys General
  • Special Topics
    • HIPAA and Part 2
    • Change Healthcare Cybersecurity Incident FAQs
    • HIPAA and COVID-19
    • HIPAA and Reproductive Health
      • HIPAA and Final Rule Notice
    • HIPAA and Telehealth
    • HIPAA and FERPA
    • Research
    • Public Health
    • Emergency Response
    • Health Information Technology
    • Health Apps
  • Patient Safety
  • Covered Entities & Business Associates
    • Business Associate Contracts
    • Business Associates
  • Training & Resources
  • FAQs for Professionals
  • Other Administrative Simplification Rules

HIPAA Settlement Highlights the Continuing Importance of Secure Disposal of Paper Medical Records

Cornell Prescription Pharmacy (Cornell) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule with the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Cornell will pay $125,000 and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program. Cornell is a small, single-location pharmacy that provides in-store and prescription services to patients in the Denver, Colorado metropolitan area, specializing in compounded medications and services for hospice care agencies in the area.

OCR opened a compliance review and investigation after receiving notification from a local Denver news outlet regarding the disposal of unsecured documents containing the protected health information (PHI) of 1,610 patients in an unlocked, open container on Cornell’s premises. The documents were not shredded and contained identifiable information regarding specific patients. Evidence obtained by OCR during its investigation revealed Cornell’s failure to implement any written policies and procedures as required by the HIPAA Privacy Rule. Cornell also failed to provide training on policies and procedures to its workforce as required by the Privacy Rule.

“Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons,” said OCR Director Jocelyn Samuels. “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”

In addition to the $125,000 settlement amount, the agreement requires Cornell to develop and implement a comprehensive set of policies and procedures to comply with the Privacy Rule, and develop and provide staff training. The Resolution Agreement can be found on the OCR website at:http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cornell

OCR offers helpful FAQs concerning HIPAA and the disposal of protected health information:http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf 

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/ocr/office

Follow us on Twitter @HHSOCR

Content created by Office for Civil Rights (OCR)
Content last reviewed June 7, 2017
Back to top

Subscribe to Email Updates

Receive the latest updates from the Secretary and Press Releases.

Subscribe
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

Follow HHS

Follow Secretary Kennedy