Rite Aid Corporation could have avoided a $1 million fine by simply enforcing its HIPAA policies and procedures and providing ongoing staff training, experts say.
Rite Aid, of East Pennsboro Township, PA, and its 40 affiliated entities agreed to pay the Department of Health and Human Services (HHS) $1 million for potential HIPAA privacy violations in a settlement announced by HHS Tuesday.
An investigation by the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules for HHS, revealed the pharmacies disposed pill bottles and prescriptions that included protected health information (PHI) in trash containers without proper safeguards.
Rite Aid, the nation’s third largest pharmacy, also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act and agreed to report compliance efforts to the FTC for 20 years.
Just shy of 18 months ago, the nation’s second largest pharmacy, CVS Caremark Corp., agreed to pay $2.25 million for nearly identical potential HIPAA violations affecting millions of customers. It also improperly disposed of patient information, such as pill bottle labels, in public trash containers.
“Since these incidents occurred in a variety of cities across the United States, this assumes a pattern of disregard and lack of attention to basic requirements of proper disposal of sensitive and confidential information,” says Phyllis A. Patrick, MBA, FACHE, CHC, cofounder & managing director of AP Health Care Compliance Group, LLC, in Pittsburgh. “There are simple preventative measures that can be put in place to prevent these incidents from happening, and there is a tremendous amount of information available from OCR and the FTC to assist in these efforts. This new violation should serve as a second, even louder wake-up call for the industry.”
Cheryl Slavinsky, director of public relations for Rite Aid, said in a phone interview with HCPro, Inc. that the company does have comprehensive HIPAA policies and procedures and training for employees. However, she admitted that human error led to the charges of Rite Aid’s improper safeguarding of PHI in the HHS and FTC consent agreements.
Rite Aid has not been notified that any individuals were affected by the potential breaches of PHI, Slavinsky said.
OCR’s investigation timeline
Each investigation by OCR began on September 27, 2007, according to the HHS resolution agreements with CVS and Rite Aid.
OCR opened its investigation of Rite Aid after television media videotaped incidents showed disposed prescriptions and labeled pill bottles containing PHI in industrial trash containers accessible to the public.
Rite Aid’s violations occurred between July 2006 and October 2006; CVS’s violations occurred between July 2006 and May 2007.
WTHR, the Indianapolis television outlet that broke improper disposal practices by CVS, Walgreens and Rite Aid, reported Tuesday that federal regulators will next go after Walgreen’s, the nation’s largest pharmacy retail chain. (OCR did not immediately respond to a request to confirm this.)
Among other issues, the reviews by OCR and the FTC indicated that Rite Aid:
- Failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process
- Failed to adequately train employees on how to dispose of such information properly
- Did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information
“The lack of disposal controls, policies and procedures appears to have been a long time security problem with Rite Aid,” says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA. “Improper disposal of information, in all forms, is one of the weakest links in information security in most organizations. And the safeguards for disposal really are some of the most straight-forward activities, more policies- and human-focused, and much less expensive than the much more expensive network security technology controls that organizations need to implement on their networks.”
Rite Aid’s corrective action plan
Under the HHS resolution agreement, Rite Aid must implement a corrective action program that includes:
- Revising and distributing its policies and procedures regarding disposal of PHI and sanctioning workers who do not follow them
- Training workforce members on these new requirements
- Conducting internal monitoring
- Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS
Rite Aid also agreed to external independent assessments of its pharmacy stores’ compliance with the FTC consent order. The HHS corrective action plan will be in place for three years and the FTC order for 20 years.
The HIPAA Privacy Rule requires health plans, healthcare clearinghouses and most covered entities, including most pharmacies, to safeguard the privacy of patient information, including such information during its disposal.
The HITECH breach notification interim final rule, in effect since September 2009, includes “shredding” as a proper disposal method of paper records.
“It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA,” Georgina Verdugo, director of OCR, said in a statement. “We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process.”
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of the HIPAA College in Casa Grande, AZ, says Rite Aid simply failed to “take care of the basics.”
“This isn’t a case of some high tech, innovatively devised scheme that cracked or bypassed safeguards to protect PHI,” Ruelas says. “Rather, it is representative of a failure to implement basic safeguards that likely would have saved Rite Aid the $1 million dollars it is paying in settlement of this violation and the cost of lost business that this is likely to generate with its customer base.”
CVS, Rite Aid response
In light of its settlement, CVS Caremark Corp. implemented a chain-wide shredding program months after the February 2009 settlement with HHS and the FTC.
Rite Aid has already enhanced its HIPAA training program and reinforced compliance with its disposal program, according to Slavinsky.
Rite Aid stores filled approximately 300 million prescriptions and served an average of 2.2 million customers per day during fiscal year 2010, according to OCR. The settlements apply to all of Rite Aid’s nearly 4,800 retail pharmacies.
The Rite Aid news comes three weeks after HHS released a proposed rule to modify the HIPAA privacy, security, and enforcement rules, extending HIPAA compliance requirements to subcontractors of business associates and strengthening patient rights to health information privacy.
Editor’s note: Visit the OCR privacy website to view the following additional information: