Resolution Agreement

CVS Pays $2.25 Million & Toughens Disposal Practices to Settle HIPAA Privacy Case

In a case that involves the privacy of millions of health care consumers, on January 16, 2009, the U.S. Department of Health & Human Services (HHS) reached agreement with CVS Pharmacy, Inc. to settle potential violations of the HIPAA Privacy Rule.  To resolve the Department’s investigation of its privacy practices, CVS agreed to pay $2.25 million and implement a detailed Corrective Action Plan to ensure that it will appropriately dispose of protected health information such as labels from prescription bottles and old prescriptions.  The new practices will apply to all CVS retail pharmacies, over 6,300 stores.  In a coordinated action, CVS Caremark Corporation, the parent company of the pharmacy chain, also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act.

CVS is the largest pharmacy chain in the country.  OCR opened its investigation of CVS pharmacy compliance with the Privacy Rule after media reports alleged that protected health information maintained by several retail pharmacy chains was being disposed of in dumpsters that were not secure and could be accessed by the public. At the same time, the FTC opened its investigation of CVS. OCR and the FTC conducted their investigations collaboratively.  This is the first instance in which OCR has coordinated investigation and resolution of a matter with the FTC.

The Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities), including pharmacies, to safeguard the privacy of protected health information, including such information during its disposal.

Among other issues, the OCR review indicated that:

• CVS failed to implement adequate policies and procedures to reasonably an d appropriately safeguard protected health information during the disposal process;
• CVS failed to adequately train employees on how to dispose of such information properly; and
• CVS did not maintain and implement a sanctions policy for members of its workforce who failed to comply with its disposal policies and procedures.

Under the Resolution Agreement, CVS agreed to pay a $2,250,000 resolution amount and implement a strong Corrective Action Plan that requires:

1. revising and distributing its policies and procedures regarding disposal of protected health information;
2. sanctioning workers who do not follow them;
3. training workforce members on these new requirements;
4. conducting internal monitoring;
5. engaging a qualified, independent third-party assessor to conduct assessments of CVS compliance with the requirements of the Corrective Action Plan and render reports to HHS;
6. new internal reporting procedures requiring workers to report all violations of these new privacy policies and procedures; and
7. submitting compliance reports to HHS for a period of three years.

Both HHS and FTC require CVS to actively monitor its compliance with the Resolution Agreement and Consent Order*.

Read the Resolution Agreement.

Read the Press Release.

For more information about the HIPAA Privacy Rule requirements for disposal of protected health information, please view our Frequently Asked Questions on the Disposal of Protected Health Information developed to coincide with this enforcement action.

*Copies of the complaint, proposed consent agreement, and an analysis of the agreement to aid in public comment are available from the FTC website or FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580