Mobile Edition
Print
Get the Mag
Weekly UpdatesIn what may signal a new commitment to enforce Health Insurance Portability and Accountability Act (HIPAA) rules, the U.S. government will receive $2.25 million from CVS Caremark Corp. to settle charges of HIPAA privacy violations.
The settlement stems from a federal investigation into allegations that CVS pharmacy employees threw items containing sensitive patient information in the trash. The joint investigation by the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) alleges that CVS employees tossed pill bottles with labels containing patient information into open dumpsters, along with pharmacy order information, employment applications, payroll data, and credit card and insurance card information, Information Security magazine reported.
The FTC said CVS violated federal laws by failing to implement reasonable and appropriate procedures for handling personal information about customers and employees and did not adequately train employees on secure disposal of personal information.
In addition to paying HHS $2.25 million, the FTC has ordered the company's more than 6,000 retail pharmacies to establish and implement policies and procedures for disposing of protected health information, implement a training program, conduct internal monitoring, and hire an outside assessor to evaluate its compliance for three years, Information Security said.
[ILLUSTRATION OMITTED]
The FTC order requires CVS to set up a comprehensive information security program to protect the data it collects from consumers and employees. The company also is required to hire a qualified third party to audit its security procedures every two years for the next 20 years.
Although CVS has agreed to pay the $2.25 million settlement, it denied any wrongdoing in its agreement with the FTC and HHS. In a statement, CVS said it has improved its waste disposal policies and implemented a chain-wide shredding program for confidential waste. The company added that it does not know of any consumers who were harmed by the alleged incidents.
Over the past few years, compliance experts have criticized the government for not enforcing HIPAA rules. In November 2008, the Office of Inspector General issued a report criticizing the HHS for failing to be proactive in enforcing the act, according to Information Security.
But things may be changing. President Barack Obama's economic stimulus package includes plans to significantly expand HIPAA. The new rules address medical record privacy and security for healthcare organizations and their business associates. Included is a breach notification law requiring healthcare providers to notify individuals publicly if the information of more than 500 people is lost or stolen. The rules also call for enforcement and penalties and allow state attorneys general to bring a civil action in federal district court against HIPAA violators.
FEED