Compliance Management, Security Strategy, Plan, Budget

Final settlement reached in CVS HIPAA violation suit

CVS Caremark must implement an information security program and obtain assessments of its effectiveness every other year for 20 years to settle federal charges that its employees threw out personal information about patients into garbage bins.

The Federal Trade Commission approved the final consent order Tuesday, settling charges that CVS Caremark violated the Health Insurance Portability and Accountability Act (HIPAA) in 2006, when pharmacy workers discarded pill bottles, medication instruction sheets and computerized order information into open trash containers. As part of the final consent order, CVS Caremark, which operates approximately 6,300 retail pharmacy stores, must designate an employee to create a comprehensive, written program outlining the actions the company will take to protect information collected from consumers.

In February, the company was ordered to pay $2.25 million for violating HIPAA. 

As part of its information security program, CVS Caremark must identify the personal information it is storing and conduct an assessment of the internal and external threats that pose a risk to the material, according to the final consent order. The risk assessment must address employee training, systems where the information is stored and attacks or intrusions. The company must then implement safeguards for the risks identified and regularly monitor their effectiveness internally.

Also, the company must obtain assessment reports from a third-party organization every two years for the next 20 years to be provided to the Bureau of Consumer Protection at the FTC.

“That the FTC had to mandate that CVS Caremark assign an employee to document what should have already been at the core of their business would tend to indicate a very sloppy business that will gain great efficiencies from some sorely absent discipline in their operations,” Randy Abrams, director of technical education at security vendor ESET told in an email Thursday.

If CVS Caremark follows through with the requirements of the court order, then this will probably be a cost-saving measure in the long run, Abrams said. He added that business will likely improve if the company instills in its employees an attitude of concern about privacy and security.

“I doubt that many, if any, of the employees were cognizant of the fact that simply throwing away prescription bottles with consumer information was a privacy problem,” Abrams said.

In addition, with the final consent order, CVS Caremark was ordered not to misrepresent the extent to which it protects the privacy and confidentiality of personal information about customers in any advertisements or promotions. The company's privacy policy regarding patient health information currently states, “CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information.” But the inappropriate disposal of sensitive material illustrated that CVS Caremark did not appropriately safeguard personal information, the federal complaint states.

A CVS Caremark spokesperson did not respond to a request for comment Thursday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.