Posted on August 5, 2010 by Bret Cohen

Rite Aid Fined $1 Million for Improperly Disposing Personal Information

On July 27th, the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) announced settlements with Rite Aid Corporation for the improper disposal of personal information -- including prescriptions and labeled pill bottles containing identifiable information about Rite Aid customers, and employment applications -- in publicly accessible dumpsters behind Rite Aid stores in a number of cities across the country.  In addition to improperly disposing of personal information, HHS and the FTC also claimed that Rite Aid failed to:

  • implement policies and procedures to dispose securely of such information, including, but not limited to, policies and procedures to render the information unreadable in the course of disposal;
  • adequately train employees to dispose securely of such information;
  • use reasonable measures to assess compliance with its established policies and procedures for disposing such information; and
  • employ a reasonable process for discovering and remedying risks to such information.

Under the HHS resolution agreement, Rite Aid agreed to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act Privacy Rule.  Rite Aid also agreed to distribute policies and procedures for protecting protected health information (such as the patient information improperly disposed in this case), train employees on the policies and procedures, monitor for violations, sanction employees who commit violations, and hire a third-party auditor to conduct periodic compliance reviews.  The HHS resolution agreement applies for three years.

In its consent order, the FTC accused Rite Aid of committing both unfair and deceptive trade practices in violation of Section 5 of the FTC Act.  Specifically, the FTC claimed that Rite Aid committed unfair trade practices when it failed to employ reasonable and appropriate measures to prevent unauthorized access to the personal information, and committed deceptive trade practices when it recklessly disposed of customers' health information despite making claims it would responsibly protect such information. 

In addition to the penalties imposed by HHS, the FTC ordered Rite Aid to cease misrepresenting its information security practices to consumers, establish a comprehensive information security program reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers and employees, and obtain biannual audits of its information security program for the next 20 years.

These settlements were similar to those imposed on CVS Caremark in February of 2009, which also stemmed from a joint investigation of the HHS and the FTC into reports of improperly disposed patient and employee information into publicly accessible dumpsters.  While many of the procedural requirements of the settlements are similar, in that case HHS required CVS Caremark to pay $2.25 million to settle the charges.

These cases reaffirm the agencies' commitment to investigating and punishing improper data disposal practices, especially in light of high-profile media reports discovering sensitive consumer information in dumpsters and boxes left by the side of the road.  In order to avoid these types of high-profile investigations, organizations should implement and enforce data retention policies and always destroy sensitive customer and employee data prior to disposal.

Tags: , , , ,
Posted on August 26, 2009 by Marcy Wilder

New Hampshire Enacts Health Information Privacy Laws

This summer New Hampshire enacted two laws that increase protection for health information. The first, H.B. 619, restricts the use of health data for marketing and fundraising purposes, and imposes new state data breach notification requirements on health care providers, including pharmacists.  The second, H.B. 542, establishes a framework for health information exchange entities (HIEs) and requires that individuals be permitted to opt out of sharing their protected health information with HIEs.  

H.B. 619 changes the definition of marketing to require an individual’s consent before communications can be made recommending alternative treatments, therapies, providers or settings of care unless those communications are made by the individual’s health care provider.  Currently, those communications can be made by health plans without the individual’s consent.  The bill also requires patients to be given an opportunity to opt out of fundraising using protected health information prior to any solicitation.  

The new law will be more protective than HIPAA because it requires the covered entity to seek an opt-out before the initial fundraising material is disseminated. It also includes a private right of action that will permit patients to bring a civil action in response to violations of the new marketing and fundraising restrictions. 

H.B. 619 also establishes a data breach notification requirement mandating that providers and business associates notify individuals in writing upon the unauthorized use or disclosure of their protected health information if such uses or disclosures violate New Hampshire law, even if the same uses or disclosures are “allowed under federal law”.  This law differs from New Hampshire’s general breach notification law in a number of ways, most notably that the health information law does not require any risk of harm threshold to be met before notification is mandated. Individuals may sue for violations of the breach notice requirements. 

H.B. 542 presents a framework for future health information exchange entities that permits providers to share information with HIEs but limits access to the information to providers and permits access for treatment purposes only.  HIEs also must maintain audit logs, documenting provider access to patient information, and must meet federal certification standards once these are finalized.

Both laws take effect January 1, 2010. 

Tags: , ,