July 28, 2010

Rite Aid to pay $1 million fine for HIPAA violation

Following federal charges that it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by improperly disposing of prescription information, pharmacy chain Rite Aid Corp. and its 40 affiliated entities (RAC) have agreed to pay a $1 million fine.

The fine was levied by the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules from within the Department of Health and Human Services. OCR also required that RAC take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information.

In addition to the OCR charge, the Federal Trade Commission also demanded the company undergo frequent security audits.

The fine follows a four-year joint investigation by the OCR and FTC spurred by media reports that some of Rite Aid's stores in various cities were throwing out customers' prescriptions and labeled pill bottles in industrial dumpsters that were accessible to the public. The settlements apply to all of Rite Aid's nearly 4,900 retail pharmacies.

The HIPAA Privacy Rule requires entities in the health care field protect the privacy of individually identifiable health information, including during its disposal.

“It is critical that companies, large and small, build a culture of compliance to protect consumers' right to privacy and safeguard health information,” said Georgina Verdugo, director of OCR, in a statement from the the Department of Health and Human Services. "OCR is committed to strong enforcement of HIPAA. We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process.”

According to the release, among other issues, the reviews by OCR and the FTC found that Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; failed to adequately train employees on how to dispose of such information properly; and did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

In addition to the fine, under the resolution agreement, RAC must implement a strong corrective action program that includes revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them; training workforce members on these new requirements; conducting internal monitoring; and engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

This is the second settlement as a result of a joint HHS and FTC investigation. The two agencies worked together on a similar case involving CVS Caremark in February 2009, which resulted in a $2.25 million fine for the pharmacy chain.

Related Articles
Related Topics

Sign up to our newsletters

More in News

House Intelligence Committee OKs amended version of controversial CISPA

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.

Three LulzSec members plead guilty in London

Ryan Ackroyd, 26; Jake Davis, 20; and Mustafa al-Bassam, 18, who was not named until now because of his age, all admitted their involvement in the hacktivist gang's attack spree.