If you have not examined your document destruction practices recently, the latest HIPAA enforcement action is a good reminder that unsecured disposal practices can lead to significant HIPAA liability.
Last June, we saw for the very first time the Department of Health & Human Services (HHS) penalize a health care provider for HIPAA violations when it entered into a $100,000 settlement with Providence Health System. That penalty now seems small in light of the $2.25 million settlement that HHS has just entered into with CVS Pharmacy. Even more significant is that the Federal Trade Commission (FTC) joined in the investigation, alleging unfair and deceptive acts by CVS Pharmacy.
The investigation was prompted by a series of television news reports in 2006 and 2007 from 15 different cities across the country in which investigative reporters went Dumpster diving at CVS and other pharmacies. The FTC alleges that CVS improperly disposed of materials containing personal information with clear, readable text (such as prescriptions, prescription bottles, pharmacy labels, computer printouts, prescription purchase refunds, credit card receipts and employee records) in unsecured, publicly accessible trash receptacles. According to HHS allegations, CVS's HIPAA policies did not adequately address how pharmacy employees were to safely dispose of these materials and the training these employees received was inadequate.
CVS did not admit to any wrongdoing or HIPAA violations, but it entered into a settlement, agreeing to pay $2.25 million to HHS. It also agreed to revise its HIPAA policies and procedures, to train its employees on the new procedures, and to have an independent assessor review its practices every other year for the next 20 years.
This is the first time the FTC has gotten involved in the investigation of a health care provider, but it highlights that a violation of HIPAA may also violate consumer protection laws. As you may also be aware, the economic stimulus bill that President Obama signed on February 17, 2009, includes stiffer penalties for HIPAA violations (up to $1.5 million per violation per year) and also authorizes state attorneys general to bring lawsuits enforcing HIPAA.
HIPAA's secure disposal practices apply not just to pharmacies, but to any health care providers subject to HIPAA, to insurers, and to employers who sponsor self-insured health plans. If you have any questions about secure disposal practices under HIPAA, or about any other HIPAA compliance issues, please contact Norbert F. Kugele at 616.752.2186 or at email@example.com.