Federal agencies, hard at work to protect the swelling volume of digitized health information fueled by technology subsidies, have taken to task a chain of retail pharmacies accused of a decidedly low-tech breach: tossing paperwork and pill bottles in unsecured trash bins behind its stores.
Rite Aid latest chain to run afoul of privacy rules
Rite Aid Corp. agreed to pay $1 million and take corrective action in a pair of settlements with HHS' Office for Civil Rights and the Federal Trade Commission resolving potential violations of the privacy provisions of the Health Insurance Portability and Accountability Act of 1996.
The agencies launched investigations in 2007 after TV news reports appeared to show that employees of Rite Aid and its major competitors routinely disposed of materials bearing customers' clearly legible personal information in publicly accessible bins.
CVS Caremark Corp. previously agreed to pay $2.25 million and entered similar agreements with HHS and the FTC. All of the agreements stipulate that the companies have entered into them without admitted liability or wrongdoing.
The “resolution payments” are the largest sums extracted for alleged HIPAA violations since the law was passed. An investigation into the disposal practices of Walgreen Co. pharmacies remains open, according to the Office for Civil Rights.
The Obama administration, in the span of these investigations, strengthened HIPAA privacy and security provisions aimed at safeguarding health information, and increased penalties for violations in tandem with pumping about $14 billion to $27 billion into subsidies to quicken the adoption of electronic health records by hospitals and physicians.
“A consistent theme is that we need to make sure the public—meaning patients and enrollees and providers—are comfortable that protected health information is secure,” said lawyer Kathryn Roe, a principal in the Health Law Consultancy. “There's this sense that as more and more information becomes electronic, the exposure increases because of the ease with which one can send out an e-mail or flip a switch and all of a sudden you have” protected health information on a public website.
The stimulus law requires that organizations subject to HIPAA's privacy protections report security breaches affecting at least 500 individuals and those breaches are posted on an HHS website (See related story below). More than 100 organizations have made the list since it went live in February.
Roe noted that most of those breaches, though they involve electronic information, can be traced to the same type of security weaknesses that would lead to health information being exposed in unsecured garbage. “When you break it down in terms of what are the highest types of losses, it goes back to portable devices and it's either theft or something that has to do with human behavior,” Roe said.
The remedies, Roe said, are the same ones compelled in the settlement agreements Rite Aid entered with HHS and the FTC: Create and document policies and procedures, train workers to live by them, and ensure problems are reported and sanctioned.
Rite Aid spokeswoman Cheryl Slavinsky said the company cooperated with agencies and has reviewed and strengthened its policies and procedures for protecting private information. “We will continue to work with FTC and HHS to ensure that comprehensive privacy procedures are working and being followed across the chain,” Slavinsky said. “We are not aware of any harm to customers or patients arising from the investigated incidents,” she added.
The agreements call for the company to revise its policies, train its workforce on new requirements, conduct internal monitoring and obtain an independent review of its security program every two years for the next two decades.
Alan Goldberg, an independent lawyer who specializes in HIPAA enforcement, said the settlement's timing suggests to him that HHS, amid pressure to get tough on HIPAA violators, is emphasizing a continued commitment to negotiating with organizations that experience security breaches in order to resolve the problems efficiently and make sure they don't happen again. A proposed rule HHS issued in July, he noted, includes provisions that limit the department's discretion in investigations that involve allegations of “willful neglect” (July 12, p. 4).
While the companies have made payments under the terms of their settlements, HHS has yet to impose civil monetary penalties for a HIPAA privacy violation since the rule went into effect in 2003.
“Going forward, one can expect OCR to deal with cases of willful neglect more stringently, reserving the highest penalties for the worst offenders,” the Office for Civil Rights said in an e-mail. “The most important aspect of resolution agreements with covered entities such as Rite Aid and CVS is achieving a robust and effective corrective action plan to ensure that information is properly safeguarded in the future.”
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.