W4 Video case study

LifeBalance
CVS2.pdf
Home>Business & Finance homework help>Management homework help>W4 Video case study

(1)

(2)

(3)

(4)

(5)

(6)

(7)

Chapter 19: CVS: “Fired Up” about Social Responsibility: 19-2a HIPAA Privacy Case of 2009 Book Title: Business Ethics: Ethical Decision Making and Cases Printed By: Kennisha Holloman (kholloman@grantham.edu) © 2019 Cengage Learning, Cengage Learning

19-2a HIPAA Privacy Case of 2009

As a company grows and achieves widespread influence, it also inherits a responsibility to

act ethically and within the law. In 2009 CVS was accused of improperly disposing of

patients’ health information. It was alleged that company employees threw prescription

bottle labels and old prescriptions into the trash without destroying sensitive patient

information, making it possible for the information to fall into public hands. This is a violation

of the HIPAA Privacy Rule, which requires companies operating in the health industry to

properly safeguard the information of their patients. The allegations initiated investigations

by the Office of Civil Rights and the FTC, marking the first such collaborative investigation

into a company’s practices. These investigations revealed other issues as well, including a

failure of company policies and procedures to completely address the safe handling of

sensitive patient information, lack of proper employee training on disposal of sensitive

information, and negligence in establishing repercussions for violations of proper disposal

methods. This was in spite of the fact that CVS materials reassure clients that their privacy

is a top priority for the pharmacy. This claim, in addition to the investigative findings,

prompted the FTC to allege that CVS was making deceptive claims and had unfair security

practices, both of which are violations of the FTC Act.

CVS settled the case with the U.S. Department of HHS, which oversees the enforcement of

the HIPAA Privacy Rule, for $2.25 million regarding improper disposal of patients’ health

information. The settlement also mandated that the company implement a Corrective Action

Plan with the following seven guidelines:

revise and distribute policies regarding disposal of protected health information;

discipline employees who violate them;

train its workforce on new requirements;

conduct internal monitoring;

involve a qualified, independent third party to assess company compliance with

requirements and submit reports to HHS;

establish internal reporting procedures requiring employees to report all

violations of these new privacy policies; and

submit compliance reports to HHS for three years.

The company also settled with the FTC by signing a consent order, requiring the company

to develop a comprehensive program that would ensure the security and confidentiality of

information collected from customers. In so doing, the company agreed to a biennial audit

from an independent third party. This audit is meant to ensure that CVS’s program meets

the FTC’s standards for its security program. CVS is forbidden by law from misrepresenting

its security practices.

Chapter 19: CVS: “Fired Up” about Social Responsibility: 19-2a HIPAA Privacy Case of 2009 Book Title: Business Ethics: Ethical Decision Making and Cases Printed By: Kennisha Holloman (kholloman@grantham.edu) © 2019 Cengage Learning, Cengage Learning

© 2020 Cengage Learning Inc. All rights reserved. No part of this work may by reproduced or used in any form or by any means - graphic, electronic, or mechanical, or in any other manner - without the written permission of the copyright holder.