HIPAA Breach Case Studies
by ClinicNerds

Precipitating Event:  Local TV news reported that pharmacy was dumping pill bottles in open dumpster.

Quote From The Legal Agreement
real name changed to XYZ Pharmacies

minor modifications for readibility

Interpreting the HIPAA Police

Quote that sends a message:

Understand the lifecycle of all of your PHI. PHI is created, maintained, then destroyed.

Ask Yourself: How are your PHI disposal policies and procedures?

Quote that sends a message:

If a policy is not enforced, it is not a policy. If a policy is not applied to everybody (e.g. management) then it breeds resentment.

Ask Yourself: Who enforces your policies?

Quote that sends a message:

This pharmacy chain did all of the recommended HIPAA actions, but, in the opinion of the HIPAA police, they did not do enough. The message is do not just go through the motions. Take a conservative approach that avoids any gray areas.

Ask Yourself: Are you giving lip service to some policies and procedures?

Additional Comments

A year later, another large pharmacy chain had this exact same pill bottles in open dumpster breach of PHI, though the fine was $1,000,000. The details are nearly identical so, to save time, a separate case study was not written up.

Obligations During HIPAA Probation
  • Each XYZ Pharmacy location must designate a privacy official
  • Develop, maintain, and revise, as necessary, uniform, written policies and procedures
  • Revise the administrative and physical safeguards for the disposal of all PHI. Final disposal requires shredding, destroying or otherwise making such PHI unreadable or indecipherable.
  • Each new employee must get policies within 10 days
  • Require each member of their workforce who receives the Policies and Procedures to submit a written or electronic compliance certification stating that the particular workforce member has received, read, understood, and agreed to abide by the Privacy Policies and Procedures
  • Enforce appropriate sanctions (which may include re-training or other instructive corrective action) against employees, who have access to PHI, including the disposal of PHI, including supervisors and managers, who fail to comply with the safeguards policies and procedures provided
  • Submit a written description of their plan to monitor internally their compliance with the Privacy Policies and Procedures

Legally called a 'Corrective Action Plan' or CAP, HIPAA Probation is a legal agreement where the HIPAA Police monitor the organziation for 3 years. During probation, there are specific to dos, milestones, deliverables, etc.

Tools From ClinicNerds

To fix these issues before the trouble starts, ClinicNerds offer these tools:

The HIPAA Lifeguard App is a guided, do-it-yourself risk assessment. Includes unlimited assistance encrypting computers.

CCC - the Clinic Collaboration Community - is for sharing polices, procedures and best practices.

Case Study Factsheet

XYZ Pharmacies is a retail pharmacy chain headquartered in Rhode Island.

Case ID

Fine Amount

Corrective Action Plan (CAP) ?
Yes, 3 Years

Precipitating Event
Local TV news reported that pharmacy was dumping pill bottles in open dumpster.

HIPAA Police Office
HHS Region 1 - Boston

{ end case study CS-2009-01-16 }