CVS Caremark Corp. was charged with violation of HIPAA privacy regulations when pharmacy employees threw items such as pill bottles with patient information into the trash. Now, in order to settle the federal investigation, it has agreed to pay has agreed to pay $2.25 million in an announcement which was made this Wednesday. In addition, the company has promised to establish and implement policies and procedures for disposing of protected health information, implement a training program, conduct internal monitoring and hire an outside assessor to evaluate compliance for three years in its more than 6000 retail pharmacy outlets.
The Corporation was under the joint investigation by the Department of Health and Human Services and the Federal Trade Commission after media reports in 2006 that workers at CVS pharmacies were improperly disposing of sensitive patient and employee data by disposing pill bottles with labels containing patient information into open Dumpsters, along with medication instruction sheets, pharmacy order information, employment applications, payroll data, and credit card and insurance card information.
Apart from the $2.25 million, The FTC order requires the company to establish a comprehensive information security program to protect the data it collects from consumers and employees. The company must also obtain a security audit from a qualified third party every two years for the next 20 years.
It has been noticed by experts that HIPAA rules have had very little enforcement mechanisms in place. Kate Borten, president of The Marblehead Group, a consultancy which helps healthcare organizations meet compliance mandates, said enforcement has been so rare that some healthcare providers say they fail to see a downside in making a weaker effort to comply with HIPAA.
“The thinking has been that the government has taken a ‘kinder and gentler’ attitude,” Borten said. “If a complaint comes in the government will come in and give you time to fix any issues you have.”