Rite Aid Corp. agreed to pay $1 million to the U.S. Department of Health and Human Services (HHS) for HIPAA violations stemming from it tossing pill bottles containing patient information into unsecured dumpsters outside its stores. The Federal Trade Commission (FTC) was in on the investigation, and the settlement also puts to rest the potential violations of the FTC Act of 1914 involved in the case.
While health care IT leaders are getting to know the implications of the Health Insurance Portability and Accountability Act and its ramifications for their data security setups — which are driven home when the HHS Office for Civil Rights publicly posts data breaches involving 500 or more customers — they might not be as familiar with how the FTC can get involved. It’s the second time HHS and FTC watchdogs have coordinated their investigative efforts in the name of protecting patient data; last year CVS Caremark also got hit with a similar case and settlement.
Here’s how it happened: Rite Aid made such claims as this: “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. … Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.” The FTC alleged that the claim was deceptive and that Rite Aid’s security practices were unfair, in violation of Section 5(a) of the FTC Act.
As part of the settlement with the FTC, Rite Aid agreed to put in place a comprehensive information security plan and to submit to biennial audits to make sure it’s adhering to the settlement terms. All that and — probably not that surprising — the order bars future misrepresentations of the company’s security practices.
This all came in addition to Rite Aid paying $1 million to HHS and agreeing to make a new comprehensive HIPAA compliance plan for disposing of pill bottles and documents containing customers’ protected health information, as well as to train employees to help execute that plan and to establish internal monitoring procedures to make sure it’s all happening according to the settlement.
And oh yeah, did we mention the uncountable cost of the bad publicity this case has caused Rite Aid and its nearly 5,000 stores? It just underscores the importance of remaining vigilant about your facility’s HIPAA compliance. These regulators take patient privacy seriously, and facilities that are not periodically revisiting and improving their compliance plans could end up suffering the same consequences as Rite Aid.