CVS Caremark Corp., parent company of the national's largest pharmacy chain, has implemented a chain-wide shredding program in light of the $2.25 million fine handed down in February by the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) for potential breaches of millions of patient records.
In its 2008 annual report released May 5 called Improving Outcomes: 2008 Corporate Social Responsibility Report, CVS says, "We are committed to being an industry leader in privacy matters and place a high priority on protecting our customers' private information."
Officials at CVS declined to speak when contacted by HealthLeaders Media, but the report outlines a shredding program that critics said should have prevented the February breach.
"We have comprehensive policies and procedures in place to effectively manage the proper disposal of confidential waste and have instituted a chain-wide shredding program for confidential waste," the report says.
The fine represented a settlement between the HHS Office for Civil Rights (OCR), the FTC, and CVS. An investigation into the pharmacy's practices began with media reports that CVS used industrial trash containers to dispose of patient information outside selected stores. The containers weren't secured and were publicly accessible, according to a February 18 HHS press release.
CVS also settled potential violations of the FTC Act with the FTC in February.
According to HHS, CVS Caremark Corp., violated the privacy of millions of its customers when it improperly disposed of patient information, such as pill bottle labels. According to HHS, CVS:
• Failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process
• Failed to adequately train employees on how to dispose of such information properly
CVS also reports it is working with the Health Information Trust Alliance (HITRUST) to develop tools and services "aimed at protecting sensitive health information and reducing the risk of security and privacy breaches."
HITRUST, a collaboration of information security and healthcare leaders, released in March its "Common Security Framework (CSF)," or material on IT security controls for healthcare information based on existing regulations and standards.
CVS, an executive council member of the alliance, says it helped develop the Framework, a first of its kind.
Chris Hourihan, manager, Strategy and Operations, for HITRUST, says the Framework is "essentially the authoritative reference guide for information security in healthcare." The company is working on the second version of the Framework with industry leaders now to include additional regulatory requirements, including the HITECH Act and others from CMS.
Hourihan says company like CVS deals with multiple lines of service, making it difficult to comply with federal regulations across the board. With CSF, "CVS can scale their compliance scope to focus on one or more specific business areas at a time," Hourihan told HealthLeaders Media.
In its annual report, CVS says it is also effectively protecting patient privacy in the areas of:
- Pharmacy and patient interactions
- Pharmacy layout and design
- Privacy notification
- Privacy complaints
- Cardholder privacy
The federal government announced the CVS fine just one day after President Barack Obama signed into law the $787 billion economic American Recovery and Reinvestment Act of 2009 that includes provisions for heightened enforcement of HIPAA and stiffer penalties for privacy and security violations.