Video Case Study

12/28/2020 Print Preview

https://ng.cengage.com/static/nb/ui/evo/index.html?deploymentId=5835051934529006900868413293&eISBN=9781337614467&id=1034289158&nbId… 1/2

(1)

(2)

(3)

(4)

(5)

(6)

(7)

19-2a HIPAA Privacy Case of 2009

As a company grows and achieves widespread influence, it also inherits a responsibility to act ethically and within the law. In 2009 CVS was accused of improperly disposing of patients’ health information. It was alleged that company employees threw prescription bottle labels and old prescriptions into the trash without destroying sensitive patient information, making it possible for the information to fall into public hands. This is a violation of the HIPAA Privacy Rule, which requires companies operating in the health industry to properly safeguard the information of their patients. The allegations initiated investigations by the Office of Civil Rights and the FTC, marking the first such collaborative investigation into a company’s practices. These investigations revealed other issues as well, including a failure of company policies and procedures to completely address the safe handling of sensitive patient information, lack of proper employee training on disposal of sensitive information, and negligence in establishing repercussions for violations of proper disposal methods. This was in spite of the fact that CVS materials reassure clients that their privacy is a top priority for the pharmacy. This claim, in addition to the investigative findings, prompted the FTC to allege that CVS was making deceptive claims and had unfair security practices, both of which are violations of the FTC Act.

CVS settled the case with the U.S. Department of HHS, which oversees the enforcement of the HIPAA Privacy Rule, for $2.25 million regarding improper disposal of patients’ health information. The settlement also mandated that the company implement a Corrective Action Plan with the following seven guidelines:

revise and distribute policies regarding disposal of protected health information;

discipline employees who violate them;

train its workforce on new requirements;

conduct internal monitoring;

involve a qualified, independent third party to assess company compliance with requirements and submit reports to HHS;

establish internal reporting procedures requiring employees to report all violations of these new privacy policies; and

submit compliance reports to HHS for three years.

The company also settled with the FTC by signing a consent order, requiring the company to develop a comprehensive program that would ensure the security and confidentiality of

12/28/2020 Print Preview

https://ng.cengage.com/static/nb/ui/evo/index.html?deploymentId=5835051934529006900868413293&eISBN=9781337614467&id=1034289158&nbId… 2/2

information collected from customers. In so doing, the company agreed to a biennial audit from an independent third party. This audit is meant to ensure that CVS’s program meets the FTC’s standards for its security program. CVS is forbidden by law from misrepresenting its security practices.

© 2020 Cengage Learning Inc. All rights reserved. No part of this work may by reproduced or used in any form or by any means - graphic, electronic, or mechanical, or in any other manner - without the written permission of the copyright holder.