To view this email as a web page, go here.

Hall Render Killian Heath and Lyman : Health Law Is Our Business
THIS IS AN ADVERTISEMENT
Impact Series
      KNOWLEDGE CENTER   ||   CONTACT
 

August 3, 2010

Rite Aid Settlement in HIPAA Privacy Case Underscores the Importance of Using Proper Methods to Dispose of PHI

On July 27, 2010, it was reported that Rite Aid Corporation agreed to pay $1 million to the Department of Health and Human Services ("HHS") to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Privacy Rule.  The settlement follows a joint investigation by the HHS Office for Civil Rights ("OCR") and the Federal Trade Commission ("FTC").  An investigation of Rite Aid was initiated by OCR after pharmacies were videotaped disposing of prescriptions and labeled pill bottles containing individuals' protected health information ("PHI") into open trash dumpsters that were accessible by the public.  According to reports, this practice occurred in a variety of cities across the United States.

In the investigation, OCR and the FTC found that Rite Aid:

  • Failed to implement adequate policies and procedures to ensure the privacy of PHI during the disposal process.
  • Failed to adequately train employees on the proper disposal of PHI.
  • Failed to maintain a sanctions policy for members of its workforce who improperly disposed of patient information.
  • Failed to assess compliance with its disposal policies and procedures.

In addition to paying the settlement amount, Rite Aid signed a consent order with the FTC to settle potential violations of the FTC Act.  The retailer also agreed to take corrective action to improve its policies and procedures to safeguard the privacy of its customers.   This will include:

  • Revising and distributing their policies and procedures regarding the disposal of PHI.
  • Adequately training workforce members on these new requirements.
  • Conducting internal monitoring.
  • Sanctioning workers who do not follow the policies and procedures.
  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

The Rite Aid case is the second reported joint investigation by OCR and the FTC.  A similar case involving another drug store chain, CVS Caremark, was settled in February 2009. 

Disposing of individual health information into a trash container without proper destruction methods could violate several requirements of the HIPAA Privacy Rule.  The Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities) to safeguard the privacy of patient information.  This safeguarding practice extends to protecting information during its disposal. 

Although the HIPAA Privacy and Security Rules do not require a particular disposal method, covered entities are responsible for determining what policies and procedures are reasonable for their institution.  In making this determination, institutions should consider the form, type and amount of PHI to be disposed.  Sensitive information, such as social security number, driver's license number, credit card number, or diagnosis and treatment information will warrant more care due to the risk of identity theft, discrimination, or other harm to the individual's reputation. PHI should be rendered unreadable, indecipherable, and unable to be reconstructed before its disposal.

Examples of proper disposal methods include:

  • Shredding, burning, pulping, or otherwise pulverizing paper records containing PHI.
  • Maintaining labeled prescription bottles in an opaque bag in a secure storage area.
  • Clearing, purging, or destroying any electronic media containing PHI.
  • Using a disposal vendor as a business associate to pick up and destroy PHI.

More information on proper disposal methods can be found in the frequently asked questions about the HIPAA Privacy and Security Rules requirements for disposal of PHI on the OCR website:  http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf

The HHS Resolution Agreement and Corrective Action Plan can be found here:  http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/riteaidres.pdf

Hall Render's HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH.  Our HIPAA Impact Series may be accessed at http://www.hallrender.com/.

If you need additional information about HIPAA and HITECH, please contact Elizabeth Callahan-Morris at (248) 457-7854 or ecallahan@hallrender.com, Mark J. Swearingen at (317) 977-1458 or mswearingen@hallrender.com, or your regular Hall Render attorney. 

Special thanks to law clerk Andrea B. Anantharam for her contributions to this Alert.
 
 
Indiana Offices
Suite 2000, Box 82064
One American Square
Indianapolis, IN 46282
(317) 633-4884
 Michigan Offices
Columbia Center, Suite 1200
201 West Big Beaver Road
Troy, MI 48084
(248) 740-7505
 Kentucky
614 West Main Street
Suite 4000
Louisville, KY 40202
(502) 568-1890
 

8402 Harcourt Road
Suite 820
Indianapolis, IN 46260
(317) 871-6222
2390 Woodlake Drive
Suite 380
Okemos, MI 48864
(517) 706-0920
 Wisconsin
111 East Kilbourn Avenue
Suite 1300
Milwaukee, WI 53202
(414) 721-0442
 
hallrender.com 
 
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader must consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.  
 
This email was sent to: %%emailaddr%%

This email was sent by: %%Member_Busname%%
%%Member_Addr%% %%Member_City%%, %%Member_State%% %%Member_PostalCode%% %%Member_Country%%


We respect your right to privacy - view our policy

Manage Subscriptions | Update Profile | One-Click Unsubscribe