WTHR investigation leads to record $2.25M HIPAA settlement

Published: .
Updated: .

Bob Segall/13 Investigates

13 Investigates' "Prescription Privacy" investigation has resulted in a $2.25 million settlement agreement between the U.S. Department of Health and Human Services (HHS) and the nation's largest retail drugstore chain.

CVS, which operates more than 6,000 pharmacies, has agreed to pay the record-setting settlement and implement a "robust corrective action plan" after WTHR found the company was tossing its customers' private healthcare records into unsecured dumpsters in Indianapolis and other cities nationwide.

"This is a very important settlement," said Robinsue Frohboese, acting director of HHS' Office for Civil Rights. "The millions of customers who go to CVS pharmacies will now have the confidence that their very personal healthcare information will, in fact, be protected."

During its investigation, HHS found that CVS failed to implement adequate policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process; failed to adequately train employees on how to dispose of such information properly; and did not maintain and implement a sanctions policy for members of its workforce who failed to comply with its disposal policies and procedures.

Frohboese said WTHR's 2006 investigation "formed the basis of the [federal] investigation," which was launched after Indianapolis-area CVS customers filed complaints with the Office of Civil Rights.

Jackie Wright was one of those customers.

Wright felt betrayed by her drugstore after learning her family's healthcare records were among dozens of private healthcare documents WTHR found in a dumpster behind a northwest side CVS.

"They are supposed to be shredding it, getting rid of it and destroying it - not throwing it in the dumpster where people can get your personal information," she told WTHR in June 2006. Soon after, Wright filed a federal HIPAA complaint, alleging that CVS failed to protect her privacy.

She heard nothing about her complaint -- until today.

"I thought everybody forgot about it and that nobody really cared," she said. "But $2.25 million, that's a lot of money... $2.25 million says they do think about what you say."

Unfortunately for Wright, complainants will not get any of the pay-out. HHS says all of the settlement money has been deposited into the US Treasury and will be used to investigate other cases involving companies accused of violating healthcare privacy regulations.

As part of its 20-page settlement, CVS is required to fully implement an action plan designed to protect patient information from being discarded into unsecured dumpsters. The plan will be monitored for 20 years by the Federal Trade Commission, which assisted the Office For Civil Rights in the investigation, marking the first time the agencies have worked together to enforce violations of the nation's healthcare privacy law.

Much of CVS's corrective action plan was developed in late 2006 after 13 Investigates expanded its investigation to show the company's privacy violations extended far beyond Indianapolis

In summer and fall of 2006, WTHR visited cities across the nation and, despite assurances from CVS that it had taken corrective measures at its pharmacies, 13 Investigates found the company was still failing to protect customer privacy. WTHR found protected patient records in CVS dumpsters in Boston, Chicago, Cleveland, Detroit, Dallas, Louisville, Miami, New Haven (Conn.), Philadelphia, and Phoenix. 13 Investigates also found hundreds of private customer records tossed into CVS dumpsters in Woonsocket, R.I., which is home to CVS world headquarters. The investigation also revealed similar problems at Walgreens and RiteAid pharmacies, the country's second and third largest drugstore chains.

On Wednesday, CVS released a statement saying it agreed to the settlement "to avoid the time and expense of further legal proceedings" and the "company denied engaging in any wrongful conduct."

But that contradicts earlier statements made by corporate officials.

Two years ago, when 13 Investigates went to CVS headquarters to show what we found, CVS privacy officer Christine Egan admitted "We are not safeguarding customer privacy as we are required to do... It's sad and intolerable."

Today's agreement is only the second monetary settlement involving HIPAA violations since the Health Insurance Portability and Accountability Act took effect in 2003, and the $2.25 million figure shatters the previous settlement. In July 2008, HHS entered into its first HIPAA settlement agreement with Seattle-based Providence Health & Services. The company paid $100,000 stemming from lost and stolen computers containing
health information.

Federal regulators say they hope this latest settlement will help them promote the importance of protecting healthcare information, and HHS has posted a tip sheet for other businesses to learn from CVS' mistakes.

"The Office For Civil Rights is using this opportunity to get good information out to healthcare providers about appropriate ways to dispose of personal health information," Frohboese said.

HHS won't comment on the possibility of a settlement agreement with Walgreens and other pharmacies involved in WTHR's Prescription Privacy investigation, which also prompted formal complaints against CVS and Walgreens by the Indiana Attorney General. Those cases are still pending before the Indiana Board of Pharmacy.