Prepared by Krystyna Nowik.
In a recent settlement agreement, Rite Aid Corporation and its affiliated entities have agreed to shell out $1 million in order to settle potential HIPAA violations. The Office of Civil Rights (OCR) and the Federal Trade Commission (FTC) launched an investigation against Rite Aid and its affiliates after media reports showed Rite Aid pharmacies across the country had disposed of prescription and pill bottles containing protected health information (PHI) in publically accessible dumpsters. The investigation indicated that Rite Aid entities failed to implement appropriate policies and procedures to safeguard PHI during the disposal process. It also found that Rite Aid entities did not provide and document appropriate training for their employees in disposing PHI. Finally, the investigation indicated that Rite Aid entities had not implemented a sanction policy to deal with employees who violated the disposal policies and procedures.
The Rite Aid Resolution Agreement is an important tool for other covered entities in assessing and developing policies and procedures for disposing of PHI. Covered entities should ask themselves:
- Is there an up-to-date policy for the disposal of PHI? Are employees aware of it?
- Are employees properly trained on how to dispose of PHI? How is training documented?
- What sanctions are in place? Are employees reeducated, reprimanded or otherwise appropriately sanctioned after a violation?
- How is off-site destruction/disposal dealt with? Are business associate contracts HIPAA compliant?
- Is there an internal and/or third-party auditing system in place to ensure employees are complying with the disposal and other HIPAA policies?
Read the full Rite Aid Resolution Agreement posted on HHS's website. For additional guidance and best practices for disposal of PHI, see the joint FAQ posted by HHS and CMS on the topic that is helpful. The FAQ even describes how to properly dispose of computers and other electronic media that store electronic PHI, which is of particular relevance for Health Information Exchanges.
Krystyna is a graduate of Seton Hall Law School, with a concentration in Health Law. She works with Oscislawski LLC on various Health Information Exchange matters and is a guest contributor to Legal HIE.