CVS & HHS: Partners in Compromising Your Privacy

Filed in Health Law, Privacy by on June 28, 2010 0 Comments

cvs-receiptOn January 16, 2009, the Department of Health and Human Services (HHS) and CVS entered into a resolution agreement requiring CVS to pay a $2.25 million fine and implement a corrective action plan for “potential violations of the HIPAA [The Health Insurance Portability and Accountability Act of 1996] privacy rule.”  Why?  CVS had allegedly been placing prescription bottles and labels into dumpsters that were accessible to the public.  The bottles/labels contained protected health information (PHI), which CVS was required to safeguard under federal law.

Although HHS appears to regard the settlement as a success, given its prominence on the HIPAA enforcement section of HHS’s website, it is nothing of the sort.  The agreement provides that CVS “expressly den[ies] any violation of HIPAA or the Privacy Rule, and further den[ies] any wrongdoing,” while HHS does not concede that CVS is “in compliance with the Privacy Rule.”  HHS did agree with itself, however, releasing an FAQ (accompanying the press release) stating that under its Privacy and Security Rules: “covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”

Why is this old news important?  This week I had a prescription filled at my local CVS pharmacy in Livingston, New Jersey.  While standing at the pharmacy I noticed that all of the filled prescriptions were stored directly behind the counter in plain view of any customer.  Each prescription was inside a small bag to which a customer receipt was attached.  The receipts in the front row of the storage bins were readable from the counter.  The receipts contain protected health information (PHI) that is subject to the Privacy and Security Rules of HIPAA including:

1) Full name,

2) Address,

3) Telephone number,

4) Day and month of birth,

5) Drug name and dosage, and

6) Prescriber.

HHS maintains the authority for civil enforcement of violations of the Privacy and Security Rules promulgated pursuant to HIPAA.  So, why is it that CVS allows the public to view its customers’ PHI in violation of HIPAA even while still subject to the corrective action plan for its prior alleged violations?  Well, I asked the pharmacist on duty.  The pharmacist acknowledged that it was a problem that the PHI could be viewed from the counter.  However, CVS was expecting to remodel and “hopefully” the shelf would be placed farther away to render the PHI unreadable.  Upon requesting the contact information for CVS’s privacy officer, the pharmacist readily provided such information and stated that she would “appreciate” someone actually reporting the apparent violation.

HHS was recently provided with additional enforcement tools under the HITECH provisions of the American Recovery and Reinvestment Act of 2009.  Unfortunately, it does not appear that HHS is serious about enforcing its own regulations or resolution agreements; nor, if the flagrantly violative placement of prescriptions is indicative of mindset,  is CVS serious about HIPAA compliance.

Tags: , , , , , ,

About the Author ()

Leave a Reply

Your email address will not be published. Required fields are marked *