HIPAA violations are finally starting to be punished

AP reported this morning that CVS is settling patient information investigation with HHS and FTC to the tune of $2.25M. Here’s the gist of it:

Employees at CVS pharmacies left the labels and other items in open trash bins outside stores, according to the Federal Trade Commission and the Department of Health and Human Services. The company also did not have adequate policies for disposing of that information, and did not sufficiently train employees to dispose of the information properly, the agencies say.

The items that were not properly discarded included pill bottles, medication instruction sheets, computer order forms, payroll information, job applications and credit card and insurance information. Those labels and forms contained personal information including Social Security numbers and credit card and insurance information, and in some cases, driver’s license numbers and account numbers. Names of the patients’ doctors were also included.

CVS said it is not aware of any consumers being harmed and has not acknowledged any wrongdoing but settled the investigation "to avoid the time and expense of further legal proceedings."

HIPAA has always been touted as a mechanism to ensure patient privacy and while it’s been a good first step, HIPAA just doesn’t have enough enforcement action capability or monitoring systems in place to make a substantial difference.

What CVS is being fined for is not unique and certainly not going to go away anytime soon. As long as the healthcare system lives on paper and we have to use untraceable faxes, mail, copies, and other manual means of transmitting patient information these kinds of HIPAA violations will continue to occur. I for one am glad to see that some enforcement is happening but it’s not enough to actual stem the tide of patient information disclosure violations.

  • loticia777

    my dr. faxed all my records to my job

  • Karen Scovel

    I had to go to the emergency room my husband was out of town so I didnt want him to know after I was dismissed, they called my husband for some information

  • Guest

    I was just terminated yesterday from my employer of 8 months for a HIPAA violation. I work in a call center and my husband is a patient at this particular medical center. At the time, I was the only agent in the center and my husband called to see if his prescription was approved by his provider. I attempted to reach a receptionist to relay this information, however, none were available at the time. I accessed his record and looked up the rx to give details. I am on his “contact list” to receive medical information/details from his health providers. What I did is normal job duties I perform for any other patients at our medical center. I did not add or take away anything from his chart. Is this a HIPAA violation that warrants immediate dismissal?