An Office for Civil Rights investigation into the nation’s largest drugstore chain for potential HIPAA violations that cost the industry’s second- and third-largest chains millions of dollars in settlements one year later is still just that – an investigation.
Last August, OCR confirmed its investigation into Walgreens based on the same television media reports that led to million-dollar settlements with CVS and Rite Aid for potential HIPAA violations.
Contacted recently, Amanda Fine, spokesperson for OCR, offered no comment but confirmed in an e-mail to HIPAA Update that the investigation into Walgreens remains “open.”
“OCR cannot comment on the timing or the details of an open investigation,” Fine said when asked about Walgreens.
The government’s investigations into the pharmacies date back four years. The HIPAA privacy and security rule enforcer’s investigation into CVS and Rite Aid began September 27, 2007, according to each pharmacy chain’s consent agreement with the Department of Health & Human Services.
The agreement included a $2.25 million settlement for CVS (announced February 18, 2009) and a $1 million payment by Rite Aid (announced July 27, 2010) with HHS.
Though neither consent agreement mentioned an investigation into Walgreens, OCR confirmed last year that it is looking into the HIPAA compliance practices of the Deerfield, IL, company.
Walgreens operates the most number of drugstores in the country ahead of No. 2 CVS and No. 3 Rite Aid.
HHS’s consent agreements with CVS and Rite Aid revealed that the pharmacies disposed pill bottles and prescriptions that included protected health information in trash containers without proper safeguards.
WTHR, the Indianapolis television outlet that broke the improper disposal practices after a nationwide “dumpster-diving” investigation, reported that Walgreens was one of the pharmacies where it found PHI in Dumpsters with easy access by the public.
In addition to paying HHS $1 million, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act and agreed to report compliance efforts to the FTC for 20 years.
CVS, meanwhile, agreed to implement a robust corrective action plan that requires:
- Privacy rule compliant policies and procedures for safeguarding disposed patient information
- Employee training on HIPAA
- Employee sanctions for noncompliance
In addition, CVS must monitor its compliance with the HHS and FTC orders by having a third party conduct assessments and report to the federal agencies. The HHS corrective action plan lasts three years; the FTC requires monitoring for 20 years.
Rite Aid’s corrective action plan is similar.
The money collected by OCR through these settlements goes to “enforcement activities under the HITECH Act and the HIPAA Privacy and Security regulations,” OCR wrote in an e-mail to HealthLeaders Media.