The 2nd ever to date HIPAA sanction has been handed down by the Department of Health and Human Services (HHS)…
“CVS Pays $2.25 Million and Toughens Practices to Settle HIPAA Privacy Case”
The fine is primarily because of CVS’s poor disposal practices…throwing away confidential information into unsecured dumpsters throughout many of their chain store locations.
Horrible disposal practices are so often the reason for privacy breaches, yet most organizations still overlook this mundane, but hugely important, security issue!
Better procedures, and MUCH more training and awareness communications for personnel, will drastically reduce these types of silly, completely idiotic, types of security incidents.
This is one more example, of a very large number of actual examples, of how technology solution alone is NOT even close to being sufficient for properly safeguarding information, in all forms, enterprise-wide.
Note to business owners: Do not spend all your money, time and resources solely on digital technology security solutions!!! The human element will cause around 80% of incidents according growing numbers of reports and research.
Read the resolution agreement here.
Here’s a list of the lone other sanction, along with the 8 HIPAA felony convictions I’m aware of being handed down to date.
I’ll update my list of all into one document soon…I need to check on a couple of other pending HIPAA felony charges.
Here’s the press release from the HHS about the CVS sanction:
“The U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) today announced that CVS, the nation’s largest retail pharmacy chain, will pay the U.S. government a $2.25 million settlement and take corrective action to ensure it does not violate the privacy of its millions of patients when disposing of patient information such as identifying information on pill bottle labels.
The settlement, which applies to all of CVS’s more than 6,000 retail pharmacies, follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
In a coordinated action, CVS Caremark Corp., the parent company of the pharmacy chain, also signed a consent order with the FTC to settle potential violations of the FTC Act.
OCR, which enforces the Privacy Rule, opened its investigation of CVS pharmacy compliance with the Privacy Rule after media reports alleged that patient information maintained by the pharmacy chain was being disposed of in industrial trash containers outside selected stores that were not secure and could be accessed by the public. At the same time, the FTC opened an investigation of CVS.
OCR and the FTC conducted their investigations jointly. This is the first instance in which OCR has coordinated investigation and resolution of a case with the FTC.
“OCR is committed to strong enforcement of the HIPAA Privacy Rule to protect patients’ rights to privacy of their health information. We hope that this agreement will spur other health organizations to examine and improve their privacy protections for patient information during the disposal process,” said Robinsue Frohboese, acting director of OCR. “Such safeguards will benefit consumers everywhere.”
The Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities), including most pharmacies, to safeguard the privacy of patient information, including such information during its disposal.
Among other issues, the reviews by OCR and the FTC indicated that:
- CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and
- CVS failed to adequately train employees on how to dispose of such information properly.
Under the HHS resolution agreement, CVS agreed to pay a $2.25 million resolution amount and implement a robust corrective action plan that requires Privacy Rule compliant policies and procedures for safeguarding patient information during disposal, employee training and employee sanctions for noncompliance.
HHS and FTC also will require CVS to actively monitor its compliance with the resolution agreement and FTC consent order. The monitoring requirement specifies that CVS must engage a qualified independent third party to conduct assessments of CVS compliance and render reports to the federal agencies. The HHS corrective action plan will be in place for three years; the FTC requires monitoring for 20 years.
The HHS Resolution Agreement and Corrective Action Plan can be found on the OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.”
Tags: awareness and training, CVS, HIPAA, HIPAA sanction, Information Security, IT compliance, IT training, policies and procedures, privacy rule, privacy training, risk management, security rule, security training