Suggested Content
- Mass General pays $1M to settle potential privacy violations
- HHS issues rule on EHR breach notification
- Veterans Affairs CIO Roger Baker on VLER progress
- HHS names Rodriguez chief health data privacy enforcer
- Beacon Communities snag more money for IT
- HHS unveils proposed regs for state insurance exchanges
- HHS unveils proposed health insurance exchange regs
- Docs tell government panel EHR tales of woe
- HHS aims to fund state efforts against Medicaid fraud
Related Resources
- Securing Hospital and Health Networks: a Case Study on Sarasota Memorial Health Care System
- Learn to Optimize Your Radiology Department & Drive Productivity
- Taking a Framework Approach to Securing Electronic Health Records (EHRs)
- An IDC Health Insights and Intel Webcast: mHealth and The Second Wave of Clinical Mobility
- IBM with IDC Health Insights: Exploring the HITECH Act for Privacy and Security of Personal Health Information
WASHINGTON – Rite Aid Corp. has agreed to pay $1 million to settle potential violations of federal privacy rules when the national pharmacy chain failed to protect sensitive customer information in disposing of prescriptions and pill bottles in store trash containers.
The settlement followed enforcement of the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA) by the Department of Health and Human Services. In a coordinated action, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act, HHS said in an announcement July 27.
HHS' Office of Civil Rights, which oversees health information privacy, and FTC collaborated on the investigation after television news media videotaped incidents when Rite Aid employees threw out pill bottles with individuals' health information on the labels in dumpsters that were accessible to the public, said OCR director Georgina Verdugo.
As part of the agreement, Rite Aid and its 4,800 pharmacies will establish policies and employee training policies on how to protect sensitive information and obtain independent assessment of pharmacy compliance with the HIPAA privacy rule.
"We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process," Verdugo said in a statement.
Verdugo said the drug store chain began increasing employees' awareness of the company's privacy policy and making sure that they were disposing of patient information correctly. Confidential information is put into specific color bags and sent to special distribution centers and it's destroyed there, she said.
Rite Aid spokeswoman Cheryl Slavinsky said, "We take this very seriously. We are not aware of any harm to customers or patients from the investigated incidents, and we certainly hope that it does not happen again."
Rite Aid has strengthened HIPAA program training with better tracking and monitoring to make sure employees read policies and perform the computer-based training modules, she said.
This is the second joint investigation and settlement conducted by OCR and FTC. In February 2009, CVS, another national drug store chain, agreed to pay a $2.25 million fine and establish similar improvements in its internal practices.
The HIPAA Privacy Rule requires health plans, health care clearinghouses and most health care providers, including most pharmacies, to safeguard the privacy of patient information, including such information during its disposal.
