Final settlement reached in CVS HIPAA violation suitCVS Caremark must implement an information security program and obtain assessments of its effectiveness every other year for 20 years to settle federal charges that its employees threw out personal information about patients into garbage bins.
The Federal Trade Commission approved the final consent order Tuesday, settling charges that CVS Caremark violated the Health Insurance Portability and Accountability Act (HIPAA) in 2006, when pharmacy workers discarded pill bottles, medication instruction sheets and computerized order information into open trash containers. As part of the final consent order, CVS Caremark, which operates approximately 6,300 retail pharmacy stores, must designate an employee to create a comprehensive, written program outlining the actions the company will take to protect information collected from consumers.
In February, the company was ordered to pay $2.25 million for violating HIPAA.
As part of its information security program, CVS Caremark must identify the personal information it is storing and conduct an assessment of the internal and external threats that pose a risk to the material, according to the final consent order. The risk assessment must address employee training, systems where the information is stored and attacks or intrusions. The company must then implement safeguards for the risks identified and regularly monitor their effectiveness internally.
Also, the company must obtain assessment reports from a third-party organization every two years for the next 20 years to be provided to the Bureau of Consumer Protection at the FTC.
“That the FTC had to mandate that CVS Caremark assign an employee to document what should have already been at the core of their business would tend to indicate a very sloppy business that will gain great efficiencies from some sorely absent discipline in their operations,” Randy Abrams, director of technical education at security vendor ESET told SCMagazineUS.com in an email Thursday.
If CVS Caremark follows through with the requirements of the court order, then this will probably be a cost-saving measure in the long run, Abrams said. He added that business will likely improve if the company instills in its employees an attitude of concern about privacy and security.
“I doubt that many, if any, of the employees were cognizant of the fact that simply throwing away prescription bottles with consumer information was a privacy problem,” Abrams said.
A CVS Caremark spokesperson did not respond to a request for comment Thursday.