Rite Aid to pay $1M for HIPAA privacy breaches

Rite Aid Corp. has agreed to pay $1 million to settle potential violations of federal privacy rules when the national pharmacy chain failed to protect sensitive customer information in disposing of prescriptions and pill bottles in store trash containers.

The settlement followed enforcement of the privacy rule of the Health Insurance Portability and Accountability Act (HIPAA) by the Department of Health and Human Services. In a coordinated action, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act, HHS said in an announcement July 27.

HHS' Office of Civil Rights, which oversees health information privacy, and FTC collaborated on the investigation after television news media videotaped incidents when Rite Aid employees threw out pill bottles with individuals' health information on the labels in dumpsters that were accessible to the public, said OCR director Georgina Verdugo.

As part of the agreement, Rite Aid and its 4,800 pharmacies will establish policies and employee training policies on how to protect sensitive information and obtain independent assessment of pharmacy compliance with the HIPAA privacy rule.

"We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process," Verdugo said in a statement.

Verdugo said the drug store chain began increasing employees' awareness of the company's privacy policy and making sure that they were disposing of patient information correctly. Confidential information is put into specific color bags and sent to special distribution centers and it's destroyed there, she said.

Rite Aid spokeswoman Cheryl Slavinsky said, "We take this very seriously. We are not aware of any harm to customers or patients from the investigated incidents, and we certainly hope that it does not happen again."

Rite Aid has strengthened HIPAA program training with better tracking and monitoring to make sure employees read policies and perform the computer-based training modules, she said.

This is the second joint investigation and settlement conducted by OCR and FTC. In February 2009, CVS, another national drug store chain, agreed to pay a $2.25 million fine and establish similar improvements in its internal practices.

The HIPAA Privacy Rule requires health plans, health care clearinghouses and most health care providers, including most pharmacies, to safeguard the privacy of patient information, including such information during its disposal.