Rite Aid to pay $1 million fine for HIPAA violation
Following federal charges that it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by improperly disposing of prescription information, pharmacy chain Rite Aid Corp. and its 40 affiliated entities (RAC) have agreed to pay a $1 million fine.
The fine was levied by the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules from within the Department of Health and Human Services. OCR also required that RAC take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information.
In addition to the OCR charge, the Federal Trade Commission also demanded the company undergo frequent security audits.
The fine follows a four-year joint investigation by the OCR and FTC spurred by media reports that some of Rite Aid's stores in various cities were throwing out customers' prescriptions and labeled pill bottles in industrial dumpsters that were accessible to the public. The settlements apply to all of Rite Aid's nearly 4,900 retail pharmacies.
The HIPAA Privacy Rule requires entities in the health care field protect the privacy of individually identifiable health information, including during its disposal.
“It is critical that companies, large and small, build a culture of compliance to protect consumers' right to privacy and safeguard health information,” said Georgina Verdugo, director of OCR, in a statement from the the Department of Health and Human Services. "OCR is committed to strong enforcement of HIPAA. We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process.”
According to the release, among other issues, the reviews by OCR and the FTC found that Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; failed to adequately train employees on how to dispose of such information properly; and did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.
In addition to the fine, under the resolution agreement, RAC must implement a strong corrective action program that includes revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them; training workforce members on these new requirements; conducting internal monitoring; and engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.
This is the second settlement as a result of a joint HHS and FTC investigation. The two agencies worked together on a similar case involving CVS Caremark in February 2009, which resulted in a $2.25 million fine for the pharmacy chain.