CVS pays $2.25 million to settle HIPAA privacy case.

The U.S. Department of Health and Human Services and the Federal Trade Commission announced February 18 that CVS, the nation's largest retail pharmacy chain, will pay the U.S. government a $2.25 million settlement and take corrective action to ensure it does not violate the privacy of patients when disposing of patient information such as identifying information on pill bottle labels.

The settlement, which applies to all of CVS's more than 6,000 retail pharmacies, follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. OCR, which enforces the Privacy Rule, opened its investigation of CVS's compliance with that rule after media reports alleged that patient information maintained by the pharmacy chain was being disposed of in industrial trash containers outside selected stores that were not secure and could be accessed by the public. The FTC cooperated in the investigation with OCR.

Among other issues, the probe indicated that CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process. The pharmacy chain also failed to adequately train employees on how to dispose of such information properly.

As part of the settlement, CVS also entered into a consent agreement with the FTC, under which it agreed to a corrective action plan and compliance monitoring by an independent third party.

As a result of the CVS case, OCR has posted new FAQs that address the HIPAA Privacy Rule requirements for disposal of protected health information. They can be found on the OCR web site at http://www.hhs.gov/ocr/privacy/ hipaa/enforcement/examples/disposalfaqs.pdf.

by AMT Legal Counsel

Michael N. McCarty

Brickfield, Burchette, Ritts & Stone, P.C.