Now that's a big HIPPA fine
Rite Aid latest chain to run afoul of privacy rules
Federal agencies, hard at work to protect the swelling volume of digitized health information fueled by technology subsidies, have taken to task a chain of retail pharmacies accused of a decidedly lowtech breach: tossing paperwork and pill bottles in unsecured trash bins behind its stores.
Rite Aid Corp. agreed to pay $1 million and take corrective action in a pair of settlements with HHS’ Office for Civil Rights and the Federal Trade Commission resolving potential violations of the privacy provisions of the Health Insurance Portability and Accountability Act of 1996.
The agencies launched investigations in 2007 after TV news reports appeared to show that employees of Rite Aid and its major competitors routinely disposed of materials bearing customers’ clearly legible personal information in publicly accessible bins.
CVS Caremark Corp. previously agreed to pay $2.25 million and entered similar agreements with HHS and the FTC. All of the agreements stipulate that the companies have entered into them without admitted liability or wrongdoing.
The “resolution payments” are the largest sums extracted for alleged HIPAA violations since the law was passed. An investigation into the disposal practices of Walgreen Co. pharmacies remains open, according to the Office for Civil Rights.
The Obama administration, in the span of these investigations, strengthened HIPAA privacy and security provisions aimed at safeguarding health information, and increased penalties for violations in tandem with pumping about $14 billion to $27 billion into subsidies to quicken the adoption of electronic health records by hospitals and physicians.
“A consistent theme is that we need to make sure the public—meaning patients and enrollees and providers—are comfortable that protected health information is secure,” said lawyer Kathryn Roe, a principal in the Health Law Consultancy. “There’s this sense that as more and more information becomes electronic, the exposure increases because of the ease with which one can send out an e-mail or flip a switch and all of a sudden you have” protected health information on a public website.
The stimulus law requires that organizations subject to HIPAA’s privacy protections report security breaches affecting at least 500 individuals and those breaches are posted on an HHS website (See related story below). More than 100 organizations have made the list since it went live in February.
Roe noted that most of those breaches, though they involve electronic information, can be traced to the same type of security weaknesses that would lead to health information being exposed in unsecured garbage. “When you break it down in terms of what are the highest types of losses, it goes back to portable devices and it’s either theft or something that has to do with
Roe: Patients need to be assured their information is safe.
Goldberg: HHS is stressing negotiations with violators.