CVS Pays $ 2.25 Million Settlement for HIPAA Violation

CVS Caremark Corp. has agreed to pay $ 2.25 million to resolve a state investigation into allegations that it violated HIPAA privacy regulations when pharmacy workers tossed items such as pill bottles containing patient information.
The deal, announced on Wednesday, follows a joint investigation by the Department of Health and the Federal Trade Commission after media reports in 2006 that employees at CVS pharmacies improperly disposed of sensitive patient and employee data.
Employees allegedly dumped pill bottles with labels with patient information on them in open dumpsters, along with medication instructions, information on pharmacy orders, job applications, payroll information, and credit card and insurance card information.
According to the FTC, CVS Caremark has violated federal law by failing to implement adequate and appropriate procedures for handling customer and employee personal data and by not properly training employees to safely dispose of personal data.
In addition to paying HHS $ 2.25 million, the company’s more than 6,000 retail pharmacies must establish and implement policies and procedures for the disposal of proprietary health information, implement a training program, conduct internal monitoring, and hire an external appraiser Assess compliance for three years.
The FTC regulation requires the company to put in place a comprehensive information security program to protect the data it collects from consumers and employees. In addition, the company must have a qualified third party conduct a security audit every two years for the next 20 years.
In a prepared statement, CVS Caremark of Woonsocket, RI said the company responded immediately to the 2006 media reports by improving its retail waste management policies and implementing a chain-wide confidential waste shredding program.
The company said it was not known to harm consumers from the alleged incidents. Under the agreement with the FTC and HHS, CVS told Caremark that it specifically denied any wrongdoing.
Over the past several years, compliance experts have said that the HIPAA rules have very few enforcement mechanisms. Kate Borten, president of The Marblehead Group, a consulting firm that helps health organizations meet compliance requirements, said enforcement has been so infrequent that some health care providers say they see no disadvantage in weaker efforts to comply with HIPAA to do.
“It was thought that the government took a ‘kinder and gentler’ attitude,” said Borten. “When a complaint comes in, the government comes and gives you time to fix any problems you have.”
In November, the Office of Inspector General (OIG) released a report criticizing the Department of Health and Human Services for not being proactive in enforcing HIPAA rules.
Lax enforcement can change. President Barack Obama’s stimulus package, signed on Tuesday, contains new rules that significantly expand HIPAA. The rules regulate data protection and the security of medical records for health organizations and now their so-called business partners. The new rules include a Violation Reporting Act, which requires healthcare providers to publicly notify individuals if a violation affects more than 500 people. Stricter enforcement and penalties are also provided for in the law. It empowers attorneys general to bring civil action in the federal district court against anyone who violates HIPAA.
“It gives compliance and enforcement a lot more teeth,” Borten said of the new rules. “The government is increasing pressure in healthcare and other organizations to protect sensitive data and keep it safe from criminals.”
News editor Robert Westervelt contributed to this report.