"The lack of disposal controls, policies and procedures appears to have been a long time security problem with Rite Aid," says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA. "Improper disposal of information, in all forms, is one of the weakest links in information security in most organizations. And the safeguards for disposal really are some of the most straight-forward activities, more policies- and human-focused, and much less expensive than the much more expensive network security technology controls that organizations need to implement on their networks."
Rite Aid's corrective action plan
Under the HHS resolution agreement, Rite Aid must implement a corrective action program that includes:
Rite Aid also agreed to external independent assessments of its pharmacy stores' compliance with the FTC consent order. The HHS corrective action plan will be in place for three years and the FTC order for 20 years.
The HIPAA Privacy Rule requires health plans, healthcare clearinghouses and most covered entities, including most pharmacies, to safeguard the privacy of patient information, including such information during its disposal.
The HITECH breach notification interim final rule, in effect since September 2009, includes shredding as a proper disposal method of paper records.
"It is critical that companies, large and small, build a culture of compliance to protect consumers' right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA," Georgina Verdugo, director of OCR, said in a statement. "We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process."
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of the HIPAA College in Casa Grande, AZ, says Rite Aid simply failed to "take care of the basics."
"This isn't a case of some high tech, innovatively devised scheme that cracked or bypassed safeguards to protect PHI," Ruelas says. "Rather, it is representative of a failure to implement basic safeguards that likely would have saved Rite Aid the $1 million dollars it is paying in settlement of this violation and the cost of lost business that this is likely to generate with its customer base."
CVS, Rite Aid response
In light of its settlement, CVS Caremark Corp. implemented a chain-wide shredding program months after the February 2009 settlement with HHS and the FTC.
Rite Aid has already enhanced its HIPAA training program and reinforced compliance with its disposal program, according to Slavinsky.
Rite Aid stores filled approximately 300 million prescriptions and served an average of 2.2 million customers per day during fiscal year 2010, according to OCR. The settlements apply to all of Rite Aid's nearly 4,800 retail pharmacies.
The Rite Aid news comes three weeks after HHS released a proposed rule to modify the HIPAA privacy, security, and enforcement rules, extending HIPAA compliance requirements to subcontractors of business associates and strengthening patient rights to health information privacy.
Editor's note: Visit the OCR privacy website to view the following additional information: