A major settlement resolving possible privacy violations by the national pharmacy chain Rite Aid Corp. comes on the heels of proposed amendments to the privacy provisions of the Health Insurance Portability and Accountability Act of 1996.
Alan Goldberg, a lawyer who specializes in HIPAA enforcement, said the timing of the settlement indicates that HHS remains committed to negotiating with organizations that experience security breaches. The strategy, he said, allows the government to reach settlements that compel improvement without costly and protracted litigation.
Meanwhile, the proposed rule HHS issued earlier this month suggests the government believes its discretion to do so may be somewhat restricted by the health IT provision of the American Recovery and Reinvestment Act of 2009, Goldberg said.
Rite Aid agreed to pay $1 million and take corrective action in related settlements with HHS' Office for Civil Rights and the Federal Trade Commission, both of which investigated the matter after television stations videotaped incidents suggesting that employees of the company's pharmacies were disposing of prescriptions and labeled pill bottles in publicly accessible trash bins. The agreements stipulate that they do not represent a concession of liability by Rite Aid.
February 2009, CVS agreed to pay $2.25 million and entered agreements with HHS and the FTC likewise resolving investigations into the disposal of refuse that contained identifying information.
Rite Aid spokeswoman Cheryl Slavinsky said the company cooperated with agencies and has reviewed and strengthened its policies and procedures for protecting private information. "We will continue to work with FTC and HHS to ensure that comprehensive privacy procedures are working and being followed across the chain," Slavinsky said. "We are not aware of any harm to customers or patients arising from the investigated incidents," she added.
The agreements call for the company to revise its policies, train its workforce on new requirements, conduct internal monitoring and obtain an independent review of its security program every two years for the next two decades.