CVS to Pay $2.25M Over Patient Privacy Probe

CVS Caremark, operator of the largest pharmacy chain in the U.S., will pay $2.25M to settle claims that it failed to protect the sensitive medical and financial information of its pharmacy customers and store employees. As part of the settlement, the company has agreed to adopt new practices intended to prevent future privacy violations.

According to a Federal Trade Commission (FTC) News Release issued Wednesday, some of CVS Caremark's more than 6,000 pharmacies disposed of sensitive patient information in open dumpsters -- including empty prescription pill bottles and medication instruction sheets that contained patients' detailed personal and medical information. Many CVS pharmacies also disposed of employment applications and payroll information in the same manner, jeopardizing the privacy of employees and job applicants, according to the FTC.

A related FTC Order requires CVS Caremark to "establish, implement, and maintain a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from consumers and employees." The FTC and the U.S. Department of Health and Human Services had been investigating CVS Caremark for alleged privacy violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a federal law that requires health care providers and pharmacies to safeguard their patient's medical information.

• FTC News Release on CVS Caremark Settlement and Order (FTC.gov)
• Read the CVS Caremark Settlement Agreement and Order [PDF file] (FTC.gov)
• MarketWatch: CVS Pays $2.25 Million and Toughens Practices to Settle HIPAA Privacy Case
• CNNMoney.com: CVS to Pay $2.3M to Resolve Patient Privacy Concerns
• Health Information Privacy (HHS.gov)
• Understanding HIPAA Privacy (HHS.gov)
• FAQ: Disposal of Protected Health Information (HHS.gov)
• Patients' Rights: Confidentiality and Privacy (FindLaw)
• Health Care and the Law (FindLaw)