Rite Aid has agreed to pay $1 million to settle complaints that it violated patient privacy by carelessly disposing of pill bottles and labels. The drug store chain also agreed to take corrective action to guard against future violations.
The U.S. Department of Health and Human Services (HHS) said it opened its investigation after television news shows aired videotaped incidents in which pharmacies disposed of prescriptions and labeled pill bottles containing individuals identifiable information in industrial trash containers that were accessible to the public.
These incidents were reported as occurring in a variety of cities across the United States. Rite Aid pharmacy stores in several of the cities were highlighted in media reports.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires health plans, health care clearinghouses and most health care providers, including most pharmacies, to safeguard the privacy of patient information, including such information during its disposal.
It's the second investigation and settlement involving a major drug chain. The Federal Trade Commission (FTC) settled a similar case involving another national drug store chain in February 2009.
It is critical that companies, large and small, build a culture of compliance to protect consumers right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA, said Georgina Verdugo, director of the HHS Office of Civil Rights. We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process.
Among other issues, the reviews by the federal agencies indicated that:
• Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;
• Rite Aid failed to adequately train employees on how to dispose of such information properly; and
• Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.
Under the HHS resolution agreement, Rite Aid agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes:
•
Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
• Training workforce members on these new requirements;
• Conducting internal monitoring; and
• Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.
