CVS Caremark Corp. has agreed to pay $2.25 million to settle a federal investigation into allegations that it violated HIPAA privacy regulations when pharmacy employees threw items such as pill bottles with patient information into the trash.
The settlement, announced Wednesday, follows a joint investigation by the Department of Health and Human Services and the Federal Trade Commission after media reports in 2006 that workers at CVS pharmacies were improperly disposing of sensitive patient and employee data.
Employees allegedly tossed pill bottles with labels containing patient information into open Dumpsters, along with medication instruction sheets, pharmacy order information, employment applications, payroll data, and credit card and insurance card information.
According to the FTC, CVS Caremark violated federal laws by failing to implement reasonable and appropriate procedures for handling personal information about customers and employees and did not adequately train employees on secure disposal of personal information.
In addition to paying HHS $2.25 million, the company's more than 6,000 retail pharmacies must establish and implement policies and procedures for disposing of protected health information, implement a training program, conduct internal monitoring and hire an outside assessor to evaluate compliance for three years.
The FTC order requires the company to establish a comprehensive information security program to protect the data it collects from consumers and employees. The company must also obtain a security audit from a qualified third party every two years for the next 20 years.
In a prepared statement, Woonsocket, R.I.-based CVS Caremark said the company responded promptly to the 2006 media reports by improving its retail waste disposal policies and implementing a chain-wide shredding program for confidential waste.
The company said it's not aware of any consumers being harmed by the alleged incidents. According to the agreement with the FTC and the HHS, CVS Caremark said it expressly denied engaging in any wrongful conduct.
Over the last several years compliance experts have said the HIPAA rules have had very little enforcement mechanisms in place. Kate Borten, president of The Marblehead Group, a consultancy which helps healthcare organizations meet compliance mandates, said enforcement has been so rare that some healthcare providers say they fail to see a downside in making a weaker effort to comply with HIPAA.
"The thinking has been that the government has taken a 'kinder and gentler' attitude," Borten said. "If a complaint comes in the government will come in and give you time to fix any issues you have."
In November, the Office of Inspector General (OIG) issued a report criticizing the Department of Health and Human Services for failing to be proactive in enforcing HIPAA rules.
Lax enforcement may be changing. President Barack Obama's stimulus package signed into law on Tuesday included new rules significantly expanding HIPAA. The rules govern the privacy and security of medical records for healthcare organizations and now their so-called business associates. The new rules include a breach notification law, forcing healthcare providers to notify individuals publicly if more than 500 people are impacted by a breach. Stricter enforcement and penalties are also outlined in the law. It authorizes State Attorneys General to bring a civil action in federal District Court against individuals who violate HIPAA.
"It gives much more teeth to compliance and enforcement," Borten said of the new rules. "The government is ratcheting up pressure in healthcare and other organizations to protect sensitive data and keep it out of the hands of criminals."
News Editor Robert Westervelt contributed to this report.