Rite Aid to Pay $1 Million for Potential Patient Privacy Breaches

Cheryl Slavinsky, director of public relations for Rite Aid, said in a phone interview with HCPro, Inc. that the company does have comprehensive HIPAA policies and procedures and training for employees. However, she admitted that human error led to the charges of Rite Aid's improper safeguarding of PHI in the HHS and FTC consent agreements.

Rite Aid has not been notified that any individuals were affected by the potential breaches of PHI, Slavinsky said.

OCR's investigation timeline

Each investigation by OCR began on September 27, 2007, according to the HHS resolution agreements with CVS and Rite Aid.

OCR opened its investigation of Rite Aid after television media videotaped incidents showed disposed prescriptions and labeled pill bottles containing PHI in industrial trash containers accessible to the public.

Rite Aid's violations occurred between July 2006 and October 2006; CVS's violations occurred between July 2006 and May 2007.

WTHR, the Indianapolis television outlet that broke improper disposal practices by CVS, Walgreens and Rite Aid, reported Tuesday that federal regulators will next go after Walgreen's, the nation's largest pharmacy retail chain. (OCR did not immediately respond to a request to confirm this.)

Among other issues, the reviews by OCR and the FTC indicated that Rite Aid:

• Failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process
• Failed to adequately train employees on how to dispose of such information properly
• Did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information