• Sanctions for Lazy Disposal Require Drug Store Chain to Re-"Rite" its Data Security Policies and Procedures
  • August 19, 2010
  • Law Firm: Proskauer Rose LLP - Washington Office
  • Rite Aid has agreed to pay $1 million to resolve allegations that it violated the Health Insurance Portability and Accountability Act (“HIPAA”) by pitching pill bottles and prescription information into publicly accessible dumpsters near Rite Aid stores. According to the Department of Health and Human Services’ resolution agreement, released on July 27, Rite Aid must implement a three-year corrective action program, which includes the adoption of revised policies and procedures concerning the disposal of sensitive health-related information, employee training programs related to the revised policies and procedures and penalties for employees that fail to comply with them.

    In addition to the HHS resolution agreement, Rite Aid has entered into a separate, but related settlement with the FTC to resolve the FTC’s allegations that the company failed to live up to promises made in its privacy policy that it would protect customers’ sensitive medical information. The FTC settlement will require Rite Aid to implement a comprehensive information security program and obtain independent audits of the program for twenty years.

    The Rite Aid settlement marks the second time HHS and the FTC have joined forces for an investigation into alleged violations of individuals’ information privacy. The agencies began investigating Rite Aid after news media captured footage of employees at a number of pharmacies, not limited to Rite Aid, tossing sensitive medical information into insecure trash containers. According to HHS and the FTC, this practice demonstrated Rite Aid’s failure to implement, teach and enforce appropriate policies regarding the disposal of sensitive information.

    So will [insert name of your pharmacy here] be the agencies’ next target? We hope not!