Visit the Healthcare Industry Pipeline at www.hin.com - Download White Papers and Case Studies, Register for Webcasts!

Search Healthcare
Business at HIN:

Members Only
Click here for
subscriber access,
key word searches or
to download articles
of interest.

Audio Conferences

Bookstore
A complete selection of health management resources for healthcare executives. Your one-stop shop for the leading publications you need! Click here to browse our categories or conduct key word searches to find the products that best meets your needs!

HIPAA Desktop

Link your company's Web site or Intranet to HIN

Career Center
The Healthcare Intelligence Network Career Center brings together qualified healthcare management professionals seeking new career opportunities and healthcare organizations that are seeking to fill health management positions within their companies.

Earn gift certificates by referring your colleagues to the Healthcare Intelligence Network!

Health Law and Regulation

STORY OF THE WEEK

Share this article with a colleague!

Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case

Rite Aid Corporation and its 40 affiliated entities (RAC) have agreed to pay $1 million to settle potential violations of the HIPAA Privacy Rule. In a coordinated action, RAC also signed a consent order with the FTC to settle potential violations of the FTC Act.

Rite Aid has also agreed to take corrective action to improve policies and procedures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information. The settlements apply to all of Rite Aid’s nearly 4,800 retail pharmacies and follow an extensive joint investigation by the HHS Office for Civil Rights (OCR) and the FTC.

The OCR opened its investigation of RAC after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. These incidents were reported as occurring in a variety of cities across the U.S. Rite Aid pharmacy stores in several of the cities were highlighted in media reports. Disposing of individuals’ health information in an industrial trash container accessible to unauthorized persons is not compliant with several requirements of the HIPAA Privacy Rule and exposes the individuals’ information to the risk of identity theft and other crimes. This is the second joint investigation and settlement conducted by OCR and FTC. OCR and FTC settled a similar case involving another national drug store chain in February 2009.

Among other issues, the reviews by OCR and the FTC indicate that:

Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process.
Rite Aid failed to adequately train employees on how to dispose of such information properly.
Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Under the HHS resolution agreement, RAC agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes:

Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them.
Training workforce members on these new requirements.
Conducting internal monitoring.
Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

Rite Aid has also agreed to external, independent assessments of its pharmacy stores’ compliance with the FTC consent order. The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years.

Source: U.S. Department of Health and Human Services, July 27, 2010

Protecting Patient Data at the Front Door: Vetting Prospective Employees for HIPAA and Other Data Protection Laws

This resource can help healthcare organizations develop standards for hiring workers, which include vetting prospective employees beyond HIPAA, using background checks in evaluating prospects, the possible need for new business associate contracts provisions and much more.

Protecting Patient Data at the Front Door: Vetting Prospective Employees for HIPAA and Other Data Protection Laws is available from the Healthcare Intelligence Network for $260 by visiting our Online Bookstore or by calling toll-free (888) 446-3530.

Share this article with a colleague!

IMPORTANT NOTICE: This information is designed to provide accurate and authoritative information on the business of healthcare. It is distributed with the understanding that Healthcare Intelligence Network is not engaged in rendering legal advice. If legal advice is required, the services of a competent professional should be retained.