One of the nation’s largest drug store chains, Rite Aid Corporation and its 40 affiliated entities (Rite Aid) will pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.  The U.S. Department of Health and Human Services (HHS) Office of Civil Rights announcement of the HIPAA resolution agreement with Rite Aid and the concurrent negotiation of a separate consent order of potential FTC Act violations between Rite Aid and the Federal Trade Commission (FTC) follows HHS’ announcement of proposed changes to its HIPAA Privacy Rules and associated penalties in response to changes enacted under the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).  The Rite Aid settlement and the proposed Privacy Rule changes illustrate the growing penalty risks that health care providers, health plans, healthcare clearinghouses and their business associates (Covered Entities) face for violating the Privacy Rules. 

Rite Aid Resolution Agreement

The Rite Aid resolution agreements settle charges that Rite Aid failed to appropriately safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information. The settlements apply to all of Rite Aid’s nearly 4,800 retail pharmacies and follow an extensive joint investigation by the HHS Office for Civil Rights (OCR) and the FTC.

OCR opened its investigation of Rite Aid after television media videotaped incidents in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public in a variety of Rite Aid locations in cities across the United States.  OCR and FTC previously settled a similar case involving the national drug store chain CVS in February 2009.

The HIPAA Privacy Rule requires covered entities to safeguard the privacy of patient information and other “protected health information” including during its disposal.  In addition to the detailed requirements for protection and safeguarding of protected health information and electronic protected health information under the Privacy Rules, breach notification rules added to HIPAA under the HITECH Act also generally require that Covered Entities investigate and provide timely notification of breach to patients, OCR and in some cases the media when “unsecured protected heath information” is breached.  Meanwhile, the FTC Act and associated regulations require those retailers and certain other parties receiving personal financial information to comply with certain requirements for the protection and use of that information and to provide certain notifications of their privacy polices for protecting personal financial information.

The joint OCR and the FTC investigations raised concerns that:

• Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;
• Rite Aid failed to adequately train employees on how to dispose of such information properly; and
• Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Under the HHS resolution agreement, Rite Aid agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program under which Rite Aid agreed to:

• Revise and distribute its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
• Train workforce members on these new requirements;
• Conduct internal monitoring; and
• Engage a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

In addition, under its FTC consent order, Rite Aid separately agreed to external, independent assessments of its pharmacy stores’ compliance with the FTC consent order.

The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years.

Proposed Privacy Rule Changes

The Rite Aid resolution agreement and consent order follows the July 8, 2010 publication by OCR of proposed changes to its existing HIPAA Privacy, Security, and Enforcement Rules in response to amendments enacted under the HITECH Act. Because of the lead time required to implement needed changes in policies, technology and training, Covered Entities need to begin preparations to adjust their health information privacy and data security policies and practices in anticipation of the finalization and implementation of these rules as well as to act quickly to submit their comments about the proposed changes.  .

The more than 220 page Notice of Proposed Rulemaking (NPRM) proposes to revise the existing Standards for Privacy of Individually Identifiable Health Information (Privacy Rule); the Security Standards for the Protection of Electronic Protected Health Information (Security Rule); and the rules pertaining to Compliance and Investigations, Imposition of Civil Money Penalties, and Procedures for Hearings (Enforcement Rule) issued under HIPAA.

The author of this update, attorney Cynthia Marcotte Stamer, has extensive experience advising and assisting health care providers and other health industry clients with HIPAA and other privacy and data security, reimbursement, compliance, public policy, regulatory, staffing, and other operations and risk management matters. Ms. Stamer also is regularly conducts training on HIPAA and other health industry compliance, management and operations matters.  You can get more information about her health industry experience here.  If you need assistance with these or other compliance concerns, wish to inquire about arranging for compliance audit or training, or need legal representation on other matters please contact Ms. Stamer at (469) 767-8872 or via e-mail here. 

Other Recent Developments

If you found this information of interest, you also may be interested in reviewing some of the following recent Updates available online by clicking on the article title:

• HHS Invites Input On Medicaid Changes To Promote Children’s Health Quality
• CMS Adopts ESRD Facility Prospective Payment System & Proposes New Quality Incentive Program
• CMS Rule Clarifies When Outpatient Services Subject to 3-Day Rule & Finalizes FY 2011 Inpatient Payment Rates
• New Affordable Care Act Mandated High Risk Pre-Existing Condition Insurance Pool Program Regulations Set Program Rules, Prohibit Plan Dumping of High Risk Members
• CMS Proposes Changes To Civil Monetary Penalty Rules For Nursing Homes
• Office of Civil Rights Proposes Changes To HIPAA Privacy, Security & Civil Sanctions Rules
• New Law Clarifies Medicare 3-Day Payment Window Rule
• HHS Invites Comments On Health Center Program Federal Tort Claims Policy Manual
• NCPDP SCRIPT 10.6 Approved As Medicare Part D/Advantage E-Prescribing Option
• President Directs Quick HHS Action To Implement Physician Medicare Payment Restoration
• Proposed Medicare Rules Will Require Hospitals Honor Patient Visitation Preferences
• HHS Invites Comments On Health Center Program Federal Tort Claims Policy Manual
• NCPDP SCRIPT 10.6 Approved As Medicare Part D/Advantage E-Prescribing Option
• President Directs Quick HHS Action To Implement Physician Medicare Payment Restoration
• Proposed Medicare Rules Will Require Hospitals Honor Patient Visitation Preferences
• IRS Invites Input On Application of New Tax Exemption Requirements For Hospital Organizations Added By Affordable Care Act
• OIG Touts Expanding Health Care Fraud Enforcement Success & Launches New Health Care Fraud Hotline
• HHS Invites Input on Proposed Strategic Framework on Multiple Chronic Conditions
• New CBO Analysis Hikes Projected Affordable Health Care Act Cost by $115 Billion
• Pennsylvania Nurses Vote For Union In NLRB Election Highlights Rising Union Organizing Activity In Health Care Industry
• WellPoint To Ban Coverage Rescissions Before Affordable Care Act Fall 2010 Deadline
• DEA/DOJ Release Interim Final E-Prescribing Rules
• Joint Commission Revises Medical Staff Bylaw Standard
• IRS To Allow Medical Resident FICA Refund Claims
• Rising Enforcement and Changing Rules Require Prompt Review & Update of Health Plan Privacy & Data Security Policies & Procedures
• Pfizer To Pay $2.3 Billion For Fraudulent Marketing In Largest DOJ Health Care Fraud Settlement
• Maximum Penalty For Patient Protection Act Confidentiality Breaches To Rise To $11,000

For More Information

We hope that this information is useful to you. If you need assistance evaluating or responding to the Health Care Reform Law or health care compliance, risk management, transactional, operational, reimbursement, or public policy concerns, please contact the author of this update, Cynthia Marcotte Stamer, at (469) 767-8872, cstamer@Solutionslawyer.net.

Vice President of the North Texas Health Care Compliance Professionals Association, Past Chair of the ABA Health Law Section Managed Care & Insurance Section and the former Board Compliance Chair of the National Kidney Foundation of North Texas, Ms. Stamer has more than 23 years experience advising health industry clients about these and other matters. A popular lecturer and widely published author on health industry and human resources matters, Ms. Stamer continuously advises health industry clients about health industry and other related concerns. Ms. Stamer also publishes and speaks extensively on health and managed care industry regulatory, staffing and human resources, compensation and benefits, technology, public policy, reimbursement and other operations and risk management concerns. Her insights on these and other related matters appear in the Health Care Compliance Association, Atlantic Information Service, Bureau of National Affairs, World At Work, The Wall Street Journal, Business Insurance, the Dallas Morning News, Modern Health Care, Managed Healthcare, Health Leaders, and a many other national and local publications. For additional information about Ms. Stamer, her experience, involvements, programs or publications, see here.

You can review other recent health care and internal controls resources and additional information about the health industry and other experience of Ms. Stamer here. If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information – including your preferred e-mail – by creating or updating your profile at here or e-mailing this information here. To unsubscribe, e-mail here.

©2010 Solutions Law Press. All rights reserved.