Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case

For those providers and entities that think HIPAA violations are no big deal or that have yet to implement required policies and procedures, they are well advised to review the Department of Health and Human Services July 27, 2010 press release announcing a $1 million dollar settlement related to allegations of violations of HIPAA.

Rite Aid Corporation and its 40 affiliated entities (RAC) agreed to pay $1 million to settle violations under the HIPAA Privacy Rule. The Office of Civil Rights (OCR) which enforces the HIPAA Privacy and Security Rules opened its investigation of RAC after a television media station reported on incidents where pharmacies were shown to have disposed of prescriptions and labeled pills bottles that contained individuals’ identifiable information in trash containers accessible to the public.

Such an act of disposing of individuals’ health information in places that is accessible to an unauthorized person is in violation of several requirements found in the HIPAA Privacy Rule. The HIPAA Privacy Rule requires health plans, health care clearinghouses and most health care providers including pharmacies, to protect the privacy of patient information, including such information during its disposal.

As part of the settlement agreement, Rite Aid also agreed to take the following corrective action to improve its policies and procedures to safeguard the privacy of its customers: (1) revise and distribute policies and procedures regarding disposal of protected health information and sanction workers who do not follow them; (2) train employees on the new requirements; (3) conduct internal monitoring; and (4) engage a qualified and independent third-party to conduct compliance reviews and render report to HHS.

For more information regarding HIPAA or health information privacy matters, please contact Abby Pendleton, Esq. or Jessica L. Gustafson, Esq. at (248) 996-8510.