OCR Confirms Walgreens HIPAA Investigation

The Office for Civil Rights (OCR) confirmed this week its investigation into the nation’s largest drugstore chain, Walgreens, based on the same television media reports that led to million-dollar settlements with CVS and Rite Aid for potential HIPAA violations.

The HIPAA privacy and security rule enforcer’s investigation into CVS and Rite Aid began September 27, 2007, according to each pharmacy chain’s consent agreement with the Department of Health & Human Services (HHS).

The agreement included a $2.25 million settlement for CVS (announced February 18, 2009) and a $1 million payment by Rite Aid (announced July 27, 2010) with HHS.

Though neither consent agreement mentioned an investigation into Walgreens, OCR confirmed this week that it is looking into the HIPAA compliance practices of the Deerfield, IL, company.

Walgreens operates the most number of drugstores in the country ahead of No. 2 CVS and No. 3 Rite Aid.

“We don't comment on whether or not an investigation is being conducted,” says Jim Cohn, Walgreens Media Relations manager. “If HHS has something to announce, we would defer to them. We have high confidence in our HIPAA compliance program and believe we have strong procedures to ensure compliance."

HHS’ consent agreements with CVS and Rite Aid revealed the pharmacies disposed pill bottles and prescriptions that included protected health information (PHI) in trash containers without proper safeguards.

WTHR, the Indianapolis television outlet that broke improper disposal practices after a nationwide “dumpster-diving” investigation four years ago, reported that Walgreens was one of the pharmacies where it found PHI in Dumpsters with easy access by the public.

“The mound of PHI just kept building up,” says Bob Segall, lead investigator on the case for WTHR. “It was irrefutable.”

In addition to paying HHS $1 million, Rite Aid signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act and agreed to report compliance efforts to the FTC for 20 years.

CVS, meanwhile, had to implement a robust corrective action plan that requires:

• Privacy rule compliant policies and procedures for safeguarding disposed patient information
• Employee training on HIPAA
• Employee sanctions for noncompliance

In addition, CVS must monitor its compliance with the HHS and FTC orders by having a third party conduct assessments and report to the federal agencies. The HHS corrective action plan lasts three years; the FTC requires monitoring for 20 years.

Rite Aid’s corrective action plan is similar.

The money collected by OCR through these settlements goes to “enforcement activities under the HITECH Act and the HIPAA Privacy and Security regulations,” OCR wrote in an e-mail to HealthLeaders Media.

John C. Parmigiani, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and chair of the team that created the HIPAA Security Rule, says he doesn’t think HIPAA enforcement action will quiet down any time soon.

“Hopefully, this action will serve as a underscored wake-up call to the healthcare industry that enforcement of HIPAA Privacy and Security under HITECH is both serious business and will be rigorously applied,” Parmigiani says. “I predict this type of enforcement action will be repeated numerous times as we move into an intensified compliance environment for covered entities and business associates.”