Rite Aid to Pay $1 Million in HIPAA Case

Credit EligibleAs a HealthcareInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Pharmacy chain Rite Aid Corp. has agreed to pay a $1 million fine and take corrective action to settle federal charges that it violated the HIPAA privacy rule and the FTC Act when some of its stores improperly disposed of prescription information in dumpsters.

The Department of Health and Human Services levied the fine and required corrective action to settle the HIPAA-related charges. In addition, the Federal Trade Commission required another set of corrective actions, including frequent security audits.

The settlement comes after a four-year investigation that originated when media reports revealed that stores in various cities disposed of prescriptions and labeled pill bottles in open dumpsters that were accessible to the public.

"Disposing of individuals' health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA privacy rule and exposes the individual's information to the risk of identity theft and other crimes," HHS said in a release.

Rite Aid has about 4,900 retail pharmacies.

The Rite Aid case is the second settlement as a result of a joint HHS and FTC investigation. The agencies settled a similar case against CVS Caremark in February 2009. That settlement resulted a $2.25 million fine.

Corrective Actions

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

• Establish policies and procedures for disposing of protected health information and sanctioning workers who do not follow them;
• Create a training program for disposing of patient information;
• Conduct internal monitoring;
• Obtain an independent assessment of its compliance for three years.

The FTC settlement requires the company to:

• Establish a comprehensive information security program designed to protect the security, confidentiality and integrity of the personal information it collects from consumers and employees;
• Obtain, every two years for the next 20 years, an audit from a qualified independent third-party professional to ensure that its security program meets the standards of the settlement.