HIPAA Settlement: Dumping of PHI Results In $2.25M Settlement

Friday, 20 February 2009
This week's settlement by CVS, the nations largest retail pharmacy chain, to pay the U.S. government a $2.25 million settlement and take corrective action highlights the need for providers and other covered entities to focus on the simple privacy protections such as appropriately disposing of patient information in a secure manner.

The first known joint investigation and settlement by the U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) with CVS was the result of CVS failing to guard patients PHI when disposing of patient information such as identifying information on pill bottle labels. .

The review and settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by OCR and the FTC indicated that:
  • CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process
  • CVS failed to adequately train employees on how to dispose of such information properly
The investigation started after various news media reported fiding prescription drug and other PHI had been dumped into unsecured trash containers at CVS pharmacies. As a result CVS not only violated the HIPAA Privacy Rule but also was brought under the FTC's deceptive business practice guidelines by claiming that CVS represents to consumers that maintaining customer privacy was central to their operations.
For more read the OCR Press Release (related OCR information/summary) FTC Press ReleaseComplaint and Consent Order) and the Resolution Agreement. Also, OCR has posted new FAQs that address the HIPAA Privacy Rule requirements for disposal of PHI.
(related FTC