HIPAA Roundup: Pharmacy Settlements and OCR Investigations

By | September 21, 2016

Over the past few years, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has considerably ramped-up its enforcement efforts for HIPAA violations.

Pharmacies have continued to be hit with OCR investigations and massive fines for breaches of protected health information (PHI). These investigations are often initiated for minor privacy or security incidents, and become major HIPAA violations once the organization’s full-scale non-compliance is brought to light.

Below, we’ve looked at three important settlements that speak to the future of HIPAA enforcement for pharmacies across the country.


CVS Pharmacy, $2.25 Million HIPAA Settlement

On January 16, 2009, HHS reached a settlement with CVS Pharmacy, Inc. to settle alleged violations of the HIPAA Privacy Rule. The $2.25 million settlement came after OCR investigators determined that stores across the nation were improperly disposing of labels containing the PHI of patients and customers.

OCR investigators found that CVS failed to implement the appropriate policies and procedures to safeguard the integrity of disposed PHI, that it failed to train employees on how to properly dispose of PHI, and that it did not implement an appropriate sanctions policy for employees and pharmacists who failed to properly dispose of PHI.

The integrity of PHI is paramount to compliance with the HIPAA Privacy Rule and pharmacies face especially difficult challenges to maintain proper privacy standards. As these next examples will show, improper handling of PHI is one of the most significant risks that pharmacies are exposed to under HIPAA regulation.


Rite Aid Pharmacy, $1 Million HIPAA Settlement

Rite Aid reached a $1 million settlement with HHS on July 27, 2010 for alleged violations of the HIPAA Privacy Rule. The chain operates nearly 4,800 retails pharmacies across the country.

Investigators determined that PHI was being disposed of incorrectly, without policies and procedures governing the disposal process. Additionally, Rite Aid’s employees weren’t trained on the proper disposal of PHI, nor were appropriate sanctions applied to employees who improperly disposed of PHI.

The Rite Aid settlement and corrective action plan closely mirrored the 2009 CVS settlement discussed above. Often, OCR will follow trends in enforcement, building cases and going after chronic issues of non-compliance across major health care industries. Large-scale national franchises make for easy targets in investigations like these, but the risk is just as material for smaller health care entities as well.


Cornell Prescription Pharmacy (Denver, CO), $125,000 HIPAA Settlement

Cornell Prescription Pharmacy is a small, single-location pharmacy based out of Denver, Colorado. The $125,000 settlement was announced on April 27, 2015 in response to the improper disposal of documents containing the PHI of 1,610 patients.

Perhaps the strictest of the three incidents we’ve discussed, OCR Director Jocelyn Samuels stated that: “Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.” Samuels continued, “Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper.”

Since taking office in June of 2015, Samuels has overseen more fines than in the prior nine years combined. And with her focus turning to organizations that have historically been spared from HIPAA enforcement, such as independent pharmacies, the possibility of a HIPAA audit has become a real threat to players across the health care industry.