Now that's a big HIPPA fine

Rite Aid lat­est chain to run afoul of pri­vacy rules

Modern Healthcare - - Front Page - Gregg Blesch

Fed­eral agen­cies, hard at work to pro­tect the swelling vol­ume of dig­i­tized health in­for­ma­tion fu­eled by technology sub­si­dies, have taken to task a chain of re­tail phar­ma­cies ac­cused of a de­cid­edly lowtech breach: toss­ing pa­per­work and pill bot­tles in un­se­cured trash bins be­hind its stores.

Rite Aid Corp. agreed to pay $1 mil­lion and take cor­rec­tive ac­tion in a pair of set­tle­ments with HHS’ Of­fice for Civil Rights and the Fed­eral Trade Com­mis­sion re­solv­ing po­ten­tial vi­o­la­tions of the pri­vacy pro­vi­sions of the Health In­surance Porta­bil­ity and Ac­count­abil­ity Act of 1996.

The agen­cies launched in­ves­ti­ga­tions in 2007 af­ter TV news re­ports ap­peared to show that em­ploy­ees of Rite Aid and its ma­jor com­peti­tors rou­tinely dis­posed of ma­te­ri­als bear­ing cus­tomers’ clearly leg­i­ble per­sonal in­for­ma­tion in pub­licly ac­ces­si­ble bins.

CVS Care­mark Corp. pre­vi­ously agreed to pay $2.25 mil­lion and en­tered sim­i­lar agree­ments with HHS and the FTC. All of the agree­ments stip­u­late that the com­pa­nies have en­tered into them with­out ad­mit­ted li­a­bil­ity or wrong­do­ing.

The “res­o­lu­tion pay­ments” are the largest sums ex­tracted for al­leged HIPAA vi­o­la­tions since the law was passed. An in­ves­ti­ga­tion into the dis­posal prac­tices of Wal­green Co. phar­ma­cies re­mains open, ac­cord­ing to the Of­fice for Civil Rights.

The Obama ad­min­is­tra­tion, in the span of these in­ves­ti­ga­tions, strength­ened HIPAA pri­vacy and se­cu­rity pro­vi­sions aimed at safe­guard­ing health in­for­ma­tion, and in­creased penal­ties for vi­o­la­tions in tan­dem with pump­ing about $14 bil­lion to $27 bil­lion into sub­si­dies to quicken the adop­tion of elec­tronic health records by hos­pi­tals and physi­cians.

“A con­sis­tent theme is that we need to make sure the pub­lic—mean­ing pa­tients and en­rollees and providers—are com­fort­able that pro­tected health in­for­ma­tion is se­cure,” said lawyer Kathryn Roe, a prin­ci­pal in the Health Law Con­sul­tancy. “There’s this sense that as more and more in­for­ma­tion be­comes elec­tronic, the ex­po­sure in­creases be­cause of the ease with which one can send out an e-mail or flip a switch and all of a sud­den you have” pro­tected health in­for­ma­tion on a pub­lic web­site.

The stim­u­lus law re­quires that or­ga­ni­za­tions sub­ject to HIPAA’s pri­vacy pro­tec­tions re­port se­cu­rity breaches af­fect­ing at least 500 in­di­vid­u­als and those breaches are posted on an HHS web­site (See re­lated story be­low). More than 100 or­ga­ni­za­tions have made the list since it went live in Fe­bru­ary.

Roe noted that most of those breaches, though they in­volve elec­tronic in­for­ma­tion, can be traced to the same type of se­cu­rity weak­nesses that would lead to health in­for­ma­tion be­ing ex­posed in un­se­cured garbage. “When you break it down in terms of what are the high­est types of losses, it goes back to por­ta­ble de­vices and it’s ei­ther theft or some­thing that has to do with

Roe: Pa­tients need to be as­sured their in­for­ma­tion is safe.

Gold­berg: HHS is stressing ne­go­ti­a­tions with vi­o­la­tors.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.