Rite Aid Gets a Million Dollar Lesson in Privacy
About four years ago, an Indianapolis TV news station found that Rite Aid – and other pharmacies around the country – were dumping patient information in public trash bins. Based on this report, the Dept. of Health and Human Services Office of Civil Rights (OCR) opened an investigation of Rite Aid, and yesterday announced that it has reached a million dollar settlement with the drug store giant. OCR collaborated with the Federal Trade Commission (FTC) on the investigation.
The Health Insurance Portability & Accountability Act (HIPAA) requires covered entities (like hospitals, pharmacies, doctors’ offices) to protect the privacy of patient information with “reasonable” physical, technical and administrative safeguards. This includes the disposal of records and documents containing patient information. Privacy experts agree: tossing sensitive data in public trash without encryption, shredding – or really any method of protecting the data from even your average dumpster diver – doesn’t quite measure up to “reasonable.” Not even close.
Unfortunately, companies putting the sensitive medical details of large numbers of patients at risk of exposure is not a rare event. In general companies already know that they must protect patient data, and most have likely taught their employees that failure to follow health privacy laws is illegal, potentially devastating to affected individuals and morally unacceptable. Yet careless breaches keep happening.
In the opinion of many in the privacy advocacy community, a major reason for this is that OCR has historically shown great reluctance to slap companies with meaningful fines and sanctions for HIPAA violations. Is that trend changing? The Rite Aid settlement is the second largest of its kind, after a $2.5 million settlement OCR extracted from CVS Pharmacy in 2009 under very similar circumstances. Rite Aid and CVS also entered into agreements with HHS to change their business practices to help prevent such incidents from happening again.
If patients are to trust that their medical privacy is protected, strong enforcement of the law is crucial. CDT is encouraged by signs that HHS is starting to shed the kid gloves in order to get companies and their employees to take patient privacy more seriously. CDT is also pleased to see OCR and FTC continuing to work together to investigate companies violating privacy regulations. Lastly, a shout-out to media organizations exposing this kind of behavior on the part of companies. Good work.