Rite Aid to pay $1 million fine for HIPAA violation

Share this article:

Following federal charges that it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by improperly disposing of prescription information, pharmacy chain Rite Aid Corp. and its 40 affiliated entities (RAC) have agreed to pay a $1 million fine.

The fine was levied by the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules from within the Department of Health and Human Services. OCR also required that RAC take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information.

In addition to the OCR charge, the Federal Trade Commission also demanded the company undergo frequent security audits.

The fine follows a four-year joint investigation by the OCR and FTC spurred by media reports that some of Rite Aid's stores in various cities were throwing out customers' prescriptions and labeled pill bottles in industrial dumpsters that were accessible to the public. The settlements apply to all of Rite Aid's nearly 4,900 retail pharmacies.

The HIPAA Privacy Rule requires entities in the health care field protect the privacy of individually identifiable health information, including during its disposal.

“It is critical that companies, large and small, build a culture of compliance to protect consumers' right to privacy and safeguard health information,” said Georgina Verdugo, director of OCR, in a statement from the the Department of Health and Human Services. "OCR is committed to strong enforcement of HIPAA. We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process.”

According to the release, among other issues, the reviews by OCR and the FTC found that Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; failed to adequately train employees on how to dispose of such information properly; and did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

In addition to the fine, under the resolution agreement, RAC must implement a strong corrective action program that includes revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them; training workforce members on these new requirements; conducting internal monitoring; and engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

This is the second settlement as a result of a joint HHS and FTC investigation. The two agencies worked together on a similar case involving CVS Caremark in February 2009, which resulted in a $2.25 million fine for the pharmacy chain.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.