Rite Aid – HIPAA Violation – Lessons Learned Not Implemented

 

Did everyone see this ultimate lesson regarding lessons learned but not implemented?

Remember back in February 2009 when the Federal Trade Commission (FTC) issued a settlement against CVS Caremark?  According to the settlement, CVS Caremark violated the HIPAA privacy rule and the FTC Act when some of its stores improperly disposed of prescription information and pill bottles that had patient information on them.  The settlement resulted in a $2.25 million fine and they must ensure their security program meets the standards of the settlement [including ongoing audits] for the next 20 years.

Now roll the clock ahead to July 2010 and another pharmacy chain – Rite Aid Corp. – has agreed to pay a $1 million fine because they violated the HIPAA privacy rule and the FTC Act when some if its stores improperly disposed of prescription information in dumpsters.

The HHS settlement against Rite Aid requires their pharmacies to:

• Establish policies and procedures for disposing protected health information and sanctioning workers who do not follow them;
• Create a training program for disposing of patient information;
• Conduct internal monitoring;
• Obtain an independent assessment of its compliance for three years.

 

The FTC settlement against Rite Aid requires the company to:

• Establish a comprehensive information security program designed to protect the security, confidentiality and integrity of the personal information it collects from consumers and employees;
• Obtain, every two years for the next 20 years, an audit from a qualified independent third-party professional to ensure that its security program meets the standards of the settlement.

 

For lessons learned to become lessons implemented, organizations must ensure that their program [security, privacy, compliance, risk management, etc.] is clearly defined, communicated, acknowledged by all appropriate personnel, documented, updated and maintained on an ongoing basis.

Unfortunately most programs are just pushed out on portals, intranets and shared drives or blasted out in binders, e-mails and memorandums.

Albert Einstein said it best:

“Insanity is doing the same thing over and over again and expecting different results.”

Are you and your organization doing the same thing over and over again and expecting different results?