One of the largest drugstore chains in America, Rite Aid Corp. and its affiliates, has agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act, or HIPAA.
The U.S. Department of Health and Human Services announced today the drug store chain also agreed to take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing of pill bottle labels and other health information.
The settlements apply to all of Rite Aid's nearly 4,800 retail pharmacies and follow an extensive joint investigation by the Office for Civil Rights and the FTC.
The Office for Civil Rights, which enforces HIPAA rules, opened its investigation of Rite Aid after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing customers' identifiable information in industrial trash containers. Film footage showed the trash receptacles were accessible to the public.
The incidents were reported as occurring in a variety of cities across the United States. Rite Aid pharmacy stores in several of the cities were highlighted in media reports.
Such disposal is not compliant with several requirements of the HIPAA Privacy Rule and exposes the individuals' information to the risk of identity theft and other crimes.
A similar investigation and settlement involving another national drug store chain happened in February of 2009.
"It is critical that companies, large and small, build a culture of compliance to protect consumers' right to privacy and safeguard health information," said Georgina Verdugo, director of Office for Civil Rights. "We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process."
Among other issues, the investigation into Rite Aid indicated that Rite Aid failed to adequately train employees on how to dispose of protected health information properly, and the company did not maintain a sanctions policy for employees who failed to properly dispose of patient information.
Under the resolution agreement, Rite Aid must implement a strong corrective action program that includes policy and procedure revisions, training its workforce on the new requirements, conducting internal monitoring and using a qualified, independent third-party assessor to conduct compliance reviews and render reports to Human and Health Services.
The agreement and plan can be found at www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.oration