When HIPAA was passed and made federal law by the Clinton administration in 1996, the fear of fines and even jail time sent the medical industry scrambling to beef up their patient data security by the 2003 deadline. However, for years afterwards, HIPAA remained a toothless tiger. Occasionally, it growled and violators were threatened to clean up their act. But it usually did not bite, as prosecutions were rare and usually mild.
Since no serious prosecutions have taken place since HIPAA went into effect in 2003, I and the medical industry have wondered if HIPAA is just a made-up boogeyman meant to frighten them into compliance.
All this changed on February 18 when the U.S. Department of Health and Human Services and the Federal Trade Commission issued a press release stating CVS had to pay $2.25 million to the U.S. government for HIPAA violations.
The HHS Office for Civil Rights (OCR) and the Federal Trade Commission caught the pharmacy chain red-handed disposing of empty pill bottles that contained patient data into dumpsters and trash containers outside select stores. Among other issues, CVS “failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and failed to adequately train employees on how to dispose of such information properly.”
CVS Caremark Corp., the parent company of the 6,000 store pharmacy chain, must implement a robust corrective action plan that requires Privacy Rule compliant policies and procedures for safeguarding patient information in addition to its fine. CVS must also submit to a biennial audit by a third party to show their compliance.
Is HHS trying to set an example with the steep penalty? Is CVS the sacrificial lamb intended to inspire other delinquent HIPAA violators to clean up their act?
While many medical industry companies may have gambling with HIPAA violations, at least CVS learned it isn’t worth the risk. Besides the possible penalties, compromising personal patient data is a strike against the reputation of a company. And this can be more costly than any fine by the HHS.
Email This Post
Print This Post
You must log in to post a comment.