Revenue Cycle

CVS to pay $2.25 million settlement for patient privacy breaches

HCPRO Website, February 19, 2009

By Dom Nicastro

HIPAA privacy and security officers received their second major wakeup call this week that HIPAA enforcement efforts are on the rise.

The Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) announced Wednesday that CVS, the nation’s largest retail pharmacy chain, will pay the U.S. government $2.25 million and take corrective action in a settlement for potential privacy breaches affecting millions of patients.

The settlement ends an investigation by the HHS Office for Civil Rights (OCR) that began with media reports that CVS used industrial trash containers to dispose of patient information outside selected stores. The containers weren’t secured and were publicly accessible, according to a February 18 HHS press release.

CVS also settled potential violations of the FTC Act with the FTC.

According to HHS, CVS Caremark Corp., the pharmacy chain’s parent company, violated the privacy of millions of its customers when it improperly disposed of patient information, such as pill bottle labels. According to HHS, CVS:

  • Failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process
  • Failed to adequately train employees on how to dispose of such information properly

The announcement comes just one day after U.S. President Barack Obama signed into law the $787 billion economic American Recovery and Reinvestment Act of 2009 that includes provisions for heightened enforcement of HIPAA and stiffer penalties for privacy and security violations.

"[HHS] needed a poster child, and CVS was that poster child," says Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR.

“All of these things are culminating to totally revise HIPAA security, which I think is great,” says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA. “The government has been saying for years one of the biggest stumbling blocks to adopting electronic health records (EHR) is patient privacy. The public has to feel confident that their information is well protected.”

According to the terms of the resolution agreement, CVS must implement a robust corrective action plan that requires:

  • Privacy rule compliant policies and procedures for safeguarding disposed patient information
  • Employee training on HIPAA
  • Employee sanctions for noncompliance

In addition, CVS must monitor its compliance with the HHS and FTC orders by having a third party conduct assessments and report to the federal agencies. The HHS corrective action plan lasts three years; the FTC requires monitoring for 20 years.

“I think we have become lax in our compliance assurance,” says Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, FHIMSS, president of Margret\A Consulting, LLC of Schaumburg, IL, and cofounder and member of the board of examiners of Health IT Certification.

Amatayakul says because there is not an overabundance of enforcement, complaints, or activity from patients who request their privacy rights, providers have regressed in their compliance efforts.

CVS' settlement comes nine months after HHS tagged Providence Health & Services for $100,000 as part of a resolution agreement that also included a corrective action plan for the Seattle-based health system to settle potential HIPAA privacy and security rule violations that occurred in 2005 and 2006, according to a July 17, 2008 HHS press release.

Nor was the resolution agreement with Providence Health & Services the only major news last year surrounding HIPAA privacy and security enforcement. The Office of Inspector General (OIG) issued a largely critical report, “Nationwide Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight [A-04-07~05064],” reviewing CMS’ HIPAA security rule oversight, implementation, and enforcement on October 27, 2008.

In addition, the FTC’s new Red Flags rules that will help facilities prevent identity theft with proper policies and procedures become enforceable May 1.

“It’s a lot of things converging at the same time,” Borten says. “It gives us a real impetus to really take this seriously.”

Though she has yet to see the full report on the investigation, Amatayakul says CVS may have had a hard time disposing of the labels “because the labels are hard to put through a shredder. If they were on bottles that’s even more difficult to discard. Still, these are not excuses for inattention to appropriate safeguards.”

Borten reminds providers not to overlook the fundamental details of protecting patients’ privacy, such as shredding documents. “Even things that seem obvious are still tripping us up,” she notes.

Editor’s note: The HHS Resolution Agreement and Corrective Action Plan can be found on the OCR Web site.

OCR has posted new FAQs that address the HIPAA privacy rule requirements for disposal of protected health information. They can be found on the OCR Web site.

Information about the FTC consent order agreement is available at

Most Popular