Rite Aid to Pay $1 Million for Potential Patient Privacy Breaches

Rite Aid Corporation could have avoided a $1 million fine by simply enforcing its HIPAA policies and procedures and providing ongoing staff training, experts say.

Rite Aid, of East Pennsboro Township, PA, and its 40 affiliated entities agreed to pay the Department of Health and Human Services (HHS) $1 million for potential HIPAA privacy violations in a settlement announced by HHS Tuesday.

An investigation by the Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules for HHS, revealed the pharmacies disposed pill bottles and prescriptions that included protected health information (PHI) in trash containers without proper safeguards.

Rite Aid, the nation’s third largest pharmacy, also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act and agreed to report compliance efforts to the FTC for 20 years.

Just shy of 18 months ago, the nation's second largest pharmacy, CVS Caremark Corp., agreed to pay $2.25 million for nearly identical potential HIPAA violations affecting millions of customers. It also improperly disposed of patient information, such as pill bottle labels, in public trash containers.

“Since these incidents occurred in a variety of cities across the United States, this assumes a pattern of disregard and lack of attention to basic requirements of proper disposal of sensitive and confidential information,” says Phyllis A. Patrick, MBA, FACHE, CHC, cofounder & managing director of AP Health Care Compliance Group, LLC, in Pittsburgh. “There are simple preventative measures that can be put in place to prevent these incidents from happening, and there is a tremendous amount of information available from OCR and the FTC to assist in these efforts. This new violation should serve as a second, even louder wake-up call for the industry.”