RAC agrees to pay $1 million to settle violations of HIPAA

The HIPAA Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities), including most pharmacies, to safeguard the privacy of patient information, and maintain adequate levels of privacy and security when disposing off various information.

When media circulated various videotaped incidents in a variety of cities across United States in which pharmacies were shown to have disposed of prescriptions and labeled pill bottles containing individuals’ identifiable information in industrial trash containers that were accessible to the public. Rite Aid pharmacy stores in several of the cities were highlighted in media reports. Following this, OCR, which enforces the HIPAA Privacy and Security Rules, opened its investigation of RAC and found it guilty.

Now, Rite Aid Corporation and its 40 affiliated entities has decided to pay $1 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. It has also signed a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act. Along with this, it has also agreed to take corrective action to improve measures to safeguard the privacy of its customers when disposing of identifying information on pill bottle labels and other health information.

“It is critical that companies, large and small, build a culture of compliance to protect consumers’ right to privacy and safeguard health information. OCR is committed to strong enforcement of HIPAA,” said Georgina Verdugo, director of OCR. “We hope that this agreement will spur other health organizations to examine and improve their policies and procedures for protecting patient information during the disposal process.”

The HHS corrective action plan will be in place for three years; the FTC order will be in place for 20 years.