Rite Aid Pays $1M to Settle HIPAA Privacy Policy Issue

By Tanya Roth, Esq. on August 05, 2010 | Last updated on March 21, 2019

Drugstore chain Rite Aid has settled with the Department of Health and Human Services over allegations that employee actions violated the privacy requirements under the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. In a related action, Rite Aid has also signed a consent consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act. Under the settlement, the company will pay $1 million and will provide more training to its employees regarding customer privacy.

The action against Rite Aid began, according to InformationWeek, when a television station taped Rite Aid employees dumping labeled medicine bottles and prescriptions with personal patient information into the dumpsters near various stores. This lead to an investigation by the HHS Office for Civil Rights (OCR) into whether or not the requirements protecting patient information under HIPAA privacy regulations were being followed. The OCR confirmed that the dumping of private information was going on in various cities, followed by media reports in many of them.

According to the press release from HHS, the HIPAA privacy rules safeguarding patient information are clear. The Privacy Rule requires health plans, health care clearing houses and most health care providers, including most pharmacies, to safeguard the privacy of patient information, including during its disposal. Dumping items with information such as patient addresses, medications and in some cases, even job applications, in dumpsters accessible to the public is clearly not the type of action that the HHS finds properly safeguards patient privacy.

Rite Aid has agreed to change its policies and procedures regarding the disposal of anything that might contain information protected under HIPAA. HHS also confirms that the company will re-train its workforce on the new requirements, monitor the progress internally and allow a third party to review and assess its compliance with the terms of the settlement.

Rite Aid is not alone in facing this kind of disciplinary action. As noted in a post in FindLaw's Common Law, in 2009, CVS pharmacies paid a $2.25 fine under a settlement for virtually the same violations under HIPAA. A report from NPR says Walgreens may the next in line.

Related Resources:

Copied to clipboard