Rite Aid Corporation (RAC) has agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, the U.S. Department of Health and Human Services (HHS) announced. The settlement resulted from a joint investigation of RAC by the HHS Office for Civil Rights (OCR) and the Federal Trade Commission (FTC).
The OCR, which enforces the HIPAA Privacy and Security Rules, started its investigation of RAC after viewing videotapes of Rite Aid pharmacies disposing of prescriptions and pill bottles that were still labeled with customers’ personal information in industrial trash containers that were accessible to the public.
Disposing of individuals’ health information in a trash container accessible to unauthorized persons is in violation of several requirements of the HIPAA Privacy Rule.
According to the press release, the OCR and the FTC also allege that RAC failed to:
- Implement adequate policies and procedures to adequately protect patient information during the disposal process
- Appropriately train employees on how to dispose of private information
- Maintain a sanctions policy for employees who failed to properly dispose of patient information.
In addition to paying the $1 million HHS settlement, RAC agreed to implement a corrective action program that includes:
- Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them
- Training workers on these new requirements
- Conducting internal monitoring
- Hiring an independent third-party assessor to conduct compliance reviews
Rite Aid has also agreed to external, independent assessments of its pharmacy stores’ in compliance with a FTC consent order RAC signed.
The HHS Resolution Agreement is available online.