Archive for the ‘HIPPA’ Category

Rite Aid to Pay Out $1 Million to Settle HIPAA Privacy Case

Wednesday, July 28th, 2010

prescriptionIn yet another groundbreaking privacy case, Rite Aid has recently agreed to pay out $1 million in a privacy case involving policy controls and procedures where employees where voluntarily disposing of prescription containers with Personal Identifiable Information (PII) written on them.  This action is a direct violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, in addition there were violations that occurred that violate the Federal Trade Commissions (FTC) FTC Act.

Rite Aid is one of the nations largest chains of drug stores and will be required to implement best practices and  corrective actions to prevent the violations from occurring in the future.  Policies, programs and procedures should be implemented in this case as well as a strict education and training program for the employees handling and exposed to these types of containers with customers PII on them.  Amazingly, this is no the the first time this type of violation has occurred in the drugstore industry.  In February of 2009, CVS Caremark Corp. agreed to pay $2.25 million to settle identical violations of the HIPAA rule.  One might think a corporation would learn from their competitors mistakes, but this is yet another instance where corporations appear to not take the HIPAA rules seriously, and understand there are serious ramifications that can occur when not complied with.

Rite Aid was cited for several infractions from the Office of Civil Rights (OCR) and FTC, who handle HIPAA compliance:

  • Rite Aid failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;
  • Rite Aid failed to adequately train employees on how to dispose of such information properly; and
  • Rite Aid did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Under the HHS resolution agreement, RAC agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes:

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
  • Training workforce members on these new requirements;
  • Conducting internal monitoring; and
  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

Pretty straightforward controls that ALL companies that fall under HIPAA regulations should follow.  RiskAnalytics CyberRiskTools (CRT) Software platform provides the necessary policies and programs, training materials and best practice assessment tools to provide compliance and risk assessment for all of the above infractions.  Implementing the training, tracking the testing, and monitoring results are all benefits such a company can achieve by utilizing our innovative platform to achieve proper cyber risk management.

Click Here to read the official U.S. Department of Health & Human Services (HHS) news release.

Posted in Administrative Safeguards, Cyber Risk Management, HIPPA, Regulations | No Comments »

States becoming more aggressive in HIPAA enforcement

Monday, July 19th, 2010

Connecticut Attorney General Richard Blumenthal has sued Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach.

Blumenthal is also seeking a court order blocking Health Net from continued violations of HIPAA (Health Insurance Portability and Accountability Act) by requiring that any protected health information contained on a portable electronic device be encrypted.

This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health Act (HITECH) authorized state attorneys general to enforce HIPAA.

Obviously, the best policy is to ensure safeguards are in place to prevent these breaches from happening in the first place.

Administrative policy combined with technical controls and employee education are key to preventing these episodes from occurring. Breaches can effect an organization financially and can result in decreased productivity.

Tags: , ,
Posted in Administrative Safeguards, Cyber Risk Management, HIPPA, Personal Identifiable Information (PII) | No Comments »