AP reported this morning that CVS is settling patient information investigation with HHS and FTC to the tune of $2.25M. Here’s the gist of it:
Employees at CVS pharmacies left the labels and other items in open trash bins outside stores, according to the Federal Trade Commission and the Department of Health and Human Services. The company also did not have adequate policies for disposing of that information, and did not sufficiently train employees to dispose of the information properly, the agencies say.
The items that were not properly discarded included pill bottles, medication instruction sheets, computer order forms, payroll information, job applications and credit card and insurance information. Those labels and forms contained personal information including Social Security numbers and credit card and insurance information, and in some cases, driver’s license numbers and account numbers. Names of the patients’ doctors were also included.
CVS said it is not aware of any consumers being harmed and has not acknowledged any wrongdoing but settled the investigation "to avoid the time and expense of further legal proceedings."
HIPAA has always been touted as a mechanism to ensure patient privacy and while it’s been a good first step, HIPAA just doesn’t have enough enforcement action capability or monitoring systems in place to make a substantial difference.
What CVS is being fined for is not unique and certainly not going to go away anytime soon. As long as the healthcare system lives on paper and we have to use untraceable faxes, mail, copies, and other manual means of transmitting patient information these kinds of HIPAA violations will continue to occur. I for one am glad to see that some enforcement is happening but it’s not enough to actual stem the tide of patient information disclosure violations.