CVS in the HIPAA Spotlight…Again.
On March 7, CVS Caremark (CVS) hit the HIPAA spotlight again, and not in a good way. Back in 2009, CVS was the target of a joint U.S. Department of Health and Human Services (HHS) Offices for Civil Rights (OCR) and Federal Trade Commission (FTC) investigation after media reports alleged that certain CVS locations were disposing of pill bottles containing patient information in unsecured dumpsters. Although CVS denied the allegations, CVS shelled out a $2.25 million settlement as well as took corrective action to settle both potential HIPAA and FTC violations. As a result, CVS is being actively monitored by HHS until 2012 and by the FTC for the next 20 years. Then this past October, CVS was sued by six Texas pharmacies for trade secret misappropriation and Racketeer and Influenced and Corrupt Organizations Act (RICO) violations as a result of certain CVS data-mining practices. The plaintiffs, who are board members of the American Pharmacies, alleged that CVS denied patients choice of pharmacies and smothered business competition as well as used patient PHI in violation of HIPAA.
Now, Strike 3. Bloomberg News reported recently that CVS has been sued by a Pennsylvania resident, Arthur Steinberg, and the Philadelphia Federation of Teachers Health and Welfare Fund, for selling patient prescription information to pharmaceutical manufacturers such as Merck & Co, AstraZeneca and Bayer. Allegedly, CVS was paid by pharmaceutical manufacturers to encourage physicians to prescribe their drugs to patients. “CVS encouraged physicians to do so through letters which included patient names, dates of birth and what medications patients were currently prescribed, allegedly obtained from CVS pharmacy services.” The lawsuit accuses CVS of unfair trade practices, unjust enrichment and violating consumer protection laws.
As Cignet Health and Mass General know all too well from the combined $5.3 million in civil penalties imposed recently by OCR, OCR is pursuing HIPAA violations with a vengeance as a result of HITECH’s increased enforcement and CVS could potentially face a HIPAA investigation in addition to the pending lawsuits. HIPAA as amended by HITECH generally prohibits Covered Entities and their Business Associates from marketing and selling PHI without first obtaining patient authorization. Only under very limited circumstances may patient information be “sold” or released without authorization for such purposes. Investigation by OCR is even more likely given that CVS has been under OCR’s watchful eye since 2009. In addition, CVS’s actions could also potentially violate its 2009 settlement agreement with OCR, placing it in even more hot water.
