Skip to main content
A Better Partnership


Feb 2009
February 26, 2009

New HIPAA Enforcement Focuses on Document Destruction Practices

If you have not examined your document destruction practices recently, the latest HIPAA enforcement action is a good reminder that unsecured disposal practices can lead to significant HIPAA liability.

Last June, we saw for the very first time the Department of Health & Human Services (HHS) penalize a health care provider for HIPAA violations when it entered into a $100,000 settlement with Providence Health System. That penalty now seems small in light of the $2.25 million settlement that HHS has just entered into with CVS Pharmacy. Even more significant is that the Federal Trade Commission (FTC) joined in the investigation, alleging unfair and deceptive acts by CVS Pharmacy.

The investigation was prompted by a series of television news reports in 2006 and 2007 from 15 different cities across the country in which investigative reporters went Dumpster diving at CVS and other pharmacies. The FTC alleges that CVS improperly disposed of materials containing personal information with clear, readable text (such as prescriptions, prescription bottles, pharmacy labels, computer printouts, prescription purchase refunds, credit card receipts and employee records) in unsecured, publicly accessible trash receptacles. According to HHS allegations, CVS's HIPAA policies did not adequately address how pharmacy employees were to safely dispose of these materials and the training these employees received was inadequate.

CVS did not admit to any wrongdoing or HIPAA violations, but it entered into a settlement, agreeing to pay $2.25 million to HHS. It also agreed to revise its HIPAA policies and procedures, to train its employees on the new procedures, and to have an independent assessor review its practices every other year for the next 20 years.

This is the first time the FTC has gotten involved in the investigation of a health care provider, but it highlights that a violation of HIPAA may also violate consumer protection laws. As you may also be aware, the economic stimulus bill that President Obama signed on February 17, 2009, includes stiffer penalties for HIPAA violations (up to $1.5 million per violation per year) and also authorizes state attorneys general to bring lawsuits enforcing HIPAA.

HIPAA's secure disposal practices apply not just to pharmacies, but to any health care providers subject to HIPAA, to insurers, and to employers who sponsor self-insured health plans. If you have any questions about secure disposal practices under HIPAA, or about any other HIPAA compliance issues, please contact Norbert F. Kugele at 616.752.2186 or at

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.



+ -