HHS Thinks Rite Aid Disposal Policies Are "In the Dumps"

Prepared by Krystyna Nowik. 

In a recent settlement agreement, Rite Aid Corporation and its affiliated entities have agreed to shell out $1 million in order to settle potential HIPAA violations. The Office of Civil Rights (OCR) and the Federal Trade Commission (FTC) launched an investigation against Rite Aid and its affiliates after media reports showed Rite Aid pharmacies across the country had disposed of prescription and pill bottles containing protected health information (PHI) in publically accessible dumpsters.  The investigation indicated that Rite Aid entities failed to implement appropriate policies and procedures to safeguard PHI during the disposal process.  It also found that Rite Aid entities did not provide and document appropriate training for their employees in disposing PHI.  Finally, the investigation indicated that Rite Aid entities had not implemented a sanction policy to deal with employees who violated the disposal policies and procedures.   

The Rite Aid Resolution Agreement is an important tool for other covered entities in assessing and developing policies and procedures for disposing of PHI.  Covered entities should ask themselves:

  1. Is there an up-to-date policy for the disposal of PHI? Are employees aware of it?
  2. Are employees properly trained on how to dispose of PHI? How is training documented?
  3. What sanctions are in place? Are employees reeducated, reprimanded or otherwise appropriately sanctioned after a violation?
  4. How is off-site destruction/disposal dealt with? Are business associate contracts HIPAA compliant?
  5. Is there an internal and/or third-party auditing system in place to ensure employees are complying with the disposal and other HIPAA policies?

Read the full Rite Aid Resolution Agreement posted on HHS's website.  For additional guidance and best practices for disposal of PHI, see the joint FAQ posted by HHS and CMS on the topic that is helpful.  The FAQ even describes how to properly dispose of computers and other electronic media that store electronic PHI, which is of particular relevance for Health Information Exchanges.

Krystyna is a graduate of Seton Hall Law School, with a concentration in Health Law.  She works with Oscislawski LLC on various Health Information Exchange matters and is a guest contributor to Legal HIE. 

HIE Liability and Insurance

Liability continues to be a central concern for HIEs and their stakeholders. In general, liability may arise from the acts or omissions of a party that fails to meet a responsibility or legal duty.  Last year, I discovered an excellent resource that summarizes liability coverage issues for Regional Health Information Organizations (RHIOs) that I would like to pass along to readers. Specifically, the Agency for Healthcare Research and Quality (AHRQ) published a Report in June 2009 that looked at key liability issues identified by RHIOs, as well as insurance options.  

Here are some of the key points the Report makes regarding liability concerns, as well as a few thoughts of my own:

  • Liability for Data Storage and Management.  How data is stored and managed (e.g., by the RHIO versus by its participants) will affect the distribution of liability. In general, the more authority and responsibility that the RHIO possesses in connection with the data, the more liability coverage it will need to take on. I agree.
  • Liability for Accuracy and Completeness.  Both data suppliers and data users are concerned about their respective liability in relation to data being accurate and complete.  RHIOs often will contractually limit their liability for accuracy of data supplied, or received and used.  However, if the RHIO manipulates the data in transit in anyway, it could be held responsible for such intervening acts. I note that data senders and receivers are also typically required to carry insurance and assume contractual responsibility for supplying accurate and complete data to the RHIO.
  • Duty to Review.  In a previous blog post, I discussed providers’ concerns that joining a RHIO/HIE will create a duty to review all information about a patient contained in the RHIO/HIE, and this will potentially expose them to an increased risk of “missing” relevant information. In my post, I noted why I thought that the role of HIEs in connection with the "standard of care" is still evolving. The Report additionally notes that:

there are no widely recognized standards for reasonable physician behavior in seeking or reviewing electronically available data, or for the extent to which that data should inform his/her clinical decisions.

  • Liability for Audit Logs.  The Report points out that some RHIOs have recently been compelled via subpoena to provide audit information for malpractice lawsuits involving the RHIOs participants. Although a RHIO may be legally obligated to respond to a subpoena, I note that it is still important that HIPAA’s standards for releasing PHI in response to a subpoena are complied with. 
  • Extending Liability to IT Vendors.  If the IT vendor provides any software, integration services, and operational services for the RHIO, the vendor should assume responsibility for their actions.  The Report noted that one factor that strongly influenced the amount of liability assigned to IT vendors was the negotiating power of the RHIO. The type of coverage in their liability insurance that the IT vendors were asked to carry varied, but typically total liability coverage ranged between $1 million and $3 million.

With regard to insurance coverage, the Report made the following additional points: 

  • Researching, negotiating and obtaining liability coverage takes time. Get started early.
  • There remains a high degree of uncertainty with regard to what constitute adequate coverage.
  • Insurance policy options for RHIOs are growing, but remain limited.
  • There is wide variability in liability insurance practices across RHIOs.
  • Sovereign immunity has its advantages and disadvantages. On this last point, the paper notes that while some are strong proponents of State immunity for RHIOs, citing such benefits as increased stakeholder participation, decreased start-up costs, and long-term sustainability, others are skeptical and noted that if State immunity is available, RHIOs may not be as rigorous in establishing privacy and security controls, and that stakeholders may then be targeted for lawsuits instead.  

In sum, the Report illustrates some of the complex liability questions that are being addressed in the RHIO context, and this is without even getting into other areas such as directors' and officers' liability, as well as security breaches across RHIO participants. Navigating this complex and uncertain landscape continues to be challenging, but those getting started now have some benefit from lessons learned by others over the last year, and well as a slightly more mature insurance market primed to RHIO and HIE risks.

Oh where, Oh where has the Security Breach Rule gone?

Today, I was going to draft a follow up article to my previous post to address whether notification was required under the Security Breach Notification Rule. However, when I sat down to begin typing, I discovered that the Breach Rule was gone! Well, maybe not exactly gone, but at least “withdrawn”.

HHS recently posted on its website the following:

At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months. Until such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect.

So now what?

For starters, HHS made clear in its last statement that the Interim Final Rule that went into effect in September remains in effect. Therefore, whatever “difficulties” HHS/OMB/OCR may be having with regard to administering or enforcing compliance, this does not automatically give covered entities or business associates a “free pass” to not report Breaches if an incident warrants such notification –to patients, OCR or otherwise – under the Interim Final Rule. As of today, OCR’s website set up to receive breach notifications is still up and running, and so covered entities should continue make any required reports of breaches though that website. Also, entities should be mindful that if their state has implemented a breach notification statute (as many have), then such state law must still be complied with. To see if your state has such a law, visit NCSL's website.  

As for what HHS will be doing to the Breach Rule? … it’s not clear. It has been suggested that the withdrawal may have been prompted to address certain privacy groups’ concerns regarding the “Harm” threshold. Particularly, the Harm threshold has been heavily criticized by some as creating a loophole to avoid reporting by Business Associates who are required ONLY to notify the Covered Entity regarding a Breach (which then triggers the Covered Entity’s obligation to notify HHS and patients of the Breach caused by the BA). Specifically, as the Breach Rule currently reads, a Business Associate is entitled to go through the same Harm analysis in order to decide whether or not to report the Breach to the Covered Entity. Some have compared this to the “fox guarding the chicken coop”. Nevertheless, I don’t believe that this warrants complete removal of the Harm balancing from the Breach Rule, and here is why:

Continue Reading