Rite Aid to Pay $1 Million in HIPAA Case

HHS, FTC Also Require Corrective Actions
Rite Aid to Pay $1 Million in HIPAA Case
Pharmacy chain Rite Aid Corp. has agreed to pay a $1 million fine and take corrective action to settle federal charges that it violated the HIPAA privacy rule and the FTC Act when some of its stores improperly disposed of prescription information in dumpsters.

The Department of Health and Human Services levied the fine and required corrective action to settle the HIPAA-related charges. In addition, the Federal Trade Commission required another set of corrective actions, including frequent security audits.

The settlement comes after a four-year investigation that originated when media reports revealed that stores in various cities disposed of prescriptions and labeled pill bottles in open dumpsters that were accessible to the public.

"Disposing of individuals' health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA privacy rule and exposes the individual's information to the risk of identity theft and other crimes," HHS said in a release.

Rite Aid has about 4,900 retail pharmacies.

The Rite Aid case is the second settlement as a result of a joint HHS and FTC investigation. The agencies settled a similar case against CVS Caremark in February 2009. That settlement resulted a $2.25 million fine.

Corrective Actions

The HHS settlement requires the company's pharmacies to:

  • Establish policies and procedures for disposing of protected health information and sanctioning workers who do not follow them;
  • Create a training program for disposing of patient information;
  • Conduct internal monitoring;
  • Obtain an independent assessment of its compliance for three years.

The FTC settlement requires the company to:

  • Establish a comprehensive information security program designed to protect the security, confidentiality and integrity of the personal information it collects from consumers and employees;
  • Obtain, every two years for the next 20 years, an audit from a qualified independent third-party professional to ensure that its security program meets the standards of the settlement.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.