The Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a major settlement with both the Federal Trade Commission (FTC) and HHS's Office of Civil Rights (OCR) regarding charges that Rite Aid violated federal privacy and security laws and regulations by failing to keep its customers' and employees' data safe.
Rite Aid employees were reported to discard prescriptions and pill bottles containing sensitive patient data into the dumpsters behind various Rite Aid pharmacies, which were easily accessible to the public. Such practices violate the HIPAA Privacy Rule, which requires covered entities to safeguard the privacy of patient information, even when such information is being destroyed. Rite Aid's actions may also violate the company's own promises to their customers regarding keeping their health information private and secure (this broken promise being the basis for FTC's charges).
In addition, OCR and FTC found that Rite Aid:
- failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;
- failed to adequately train employees on how to dispose of such information properly;
- failed to employ a reasonable process for discovering and remedying risks to personal information; and
- did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.
Pursuant to their settlement with HHS, Rite Aid agreed to pay HHS a cool $1 million and agreed to implement a strong corrective action program (lasting 3 years) which includes:
- Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
- Training workforce members on these new requirements;
- Conducting internal monitoring; and
- Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.
Finally, Rite Aid has also agreed to external independent assessments of its pharmacy stores’ compliance with the FTC consent order, which will be in place for 20 years.
FTC and OCR have previously filed charges against CVS Caremark, another major pharmacy chain which was reported to engage in similar violations to Rite Aid's.
The current economic conditions require most organizations to do more with less. The unfortunate end result is that long term projects, such as major privacy and security compliance reviews and overhauls get postponed and overlooked. Rite Aid and CVS cases should remind covered entities and other organizations responsible for keeping patient information safe that neglect or procrastination with regard to privacy policies and practices can lead to major fines, PR embarrassments and excessive compliance and legal costs.
It is also key to remember that your organization must comply with its own privacy policies and procedures -- otherwise, FTC can charge your organization for "false promises," as was the case with Rite Aid. In order to comply with such policies, however, your organization must train the staff about the critical importance of privacy. Without such training, all the policies and procedures will be rendered entirely ineffective.
You can read the full OCR press release by clicking here.
You can read the full FTC press release by clicking here.