CVS settles privacy charges

The CVS Caremark Corp. agreement to pay a $2.25 million settlement following federal charges that employees compromised customer privacy by throwing pill bottles and prescription records into open dumpsters.

The settlement sends a message to healthcare organizations that their paper privacy and data security is insufficient, says one expert.

“Clearly, the CVS settlement and others, and stimulus-bill expansions to HIPAA, reflect the continuing belief of Congress and regulators that healthcare organizations aren’t doing their job,” says Cynthia Marcotte Stamer, a member of Glast, Phillips & Murray, PC, Dallas, Texas.

The biggest driver is the perception that companies have not acted promptly to operationally comply with HIPAA, FACTA’s red flag and other rules.

“This concern is fueled by the recognition of the growing magnitude of the U.S. identity theft problem and that healthcare data includes particularly sensitive private information,” she says.

According to Stamer, healthcare organizations must update and build out the policies, training and internal controls necessary to be able to prove that they require and enforce operational compliance.

HHS will monitor CVS for the next three years to make sure patient information is protected and employees are properly trained, with sanctions in place for workers who do not follow the disposal rules.

In a statement, CVS said it is not aware of any consumers being harmed and has not acknowledged any wrongdoing, but settled the investigation “to avoid the time and expense of further legal proceedings.”

At the end of the third quarter, CVS operated 6,347 drugstores in the United States, making it the second-largest chain, after Walgreen Co.