The first known joint investigation and settlement by the U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) with CVS was the result of CVS failing to guard patients PHI when disposing of patient information such as identifying information on pill bottle labels. .
The review and settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by OCR and the FTC indicated that:
- CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process
- CVS failed to adequately train employees on how to dispose of such information properly
For more read the OCR Press Release (related OCR information/summary) FTC Press ReleaseComplaint and Consent Order) and the Resolution Agreement. Also, OCR has posted new FAQs that address the HIPAA Privacy Rule requirements for disposal of PHI. (related FTC