Rite Aid to Pay $1 Million in HIPAA CaseHHS, FTC Also Require Corrective Actions
The Department of Health and Human Services levied the fine and required corrective action to settle the HIPAA-related charges. In addition, the Federal Trade Commission required another set of corrective actions, including frequent security audits.
The settlement comes after a four-year investigation that originated when media reports revealed that stores in various cities disposed of prescriptions and labeled pill bottles in open dumpsters that were accessible to the public.
"Disposing of individuals' health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA privacy rule and exposes the individual's information to the risk of identity theft and other crimes," HHS said in a release.
Rite Aid has about 4,900 retail pharmacies.
The Rite Aid case is the second settlement as a result of a joint HHS and FTC investigation. The agencies settled a similar case against CVS Caremark in February 2009. That settlement resulted a $2.25 million fine.
Corrective ActionsThe HHS settlement requires the company's pharmacies to:
- Establish policies and procedures for disposing of protected health information and sanctioning workers who do not follow them;
- Create a training program for disposing of patient information;
- Conduct internal monitoring;
- Obtain an independent assessment of its compliance for three years.
The FTC settlement requires the company to:
- Establish a comprehensive information security program designed to protect the security, confidentiality and integrity of the personal information it collects from consumers and employees;
- Obtain, every two years for the next 20 years, an audit from a qualified independent third-party professional to ensure that its security program meets the standards of the settlement.