Top Pharmacy Chains Revealed as Repeat HIPAA Violators

JANUARY 04, 2016
Meghan Ross, Senior Associate Editor
CVS Health, Walgreens, Walmart, Express Scripts, and Rite Aid pharmacies all appear in a list of the top 10 most frequent violators of the Health Insurance Portability and Accountability Act (HIPAA).
Between 2011 and 2014, the US Department of Veterans Affairs received the greatest number of privacy complaints (220) that led to corrective action or “technical assistance” from the Office for Civil Rights within the US Department of Health and Human Services, which is responsible for enforcing HIPAA. 
CVS Health was second with 204 complaints, followed by Walgreens with 183, according to a ProPublica analysis that examined federal data to uncover HIPAA violations.
Meanwhile, Walmart had the fifth-most privacy complaints (71), while Express Scripts and Rite Aid followed in seventh and eighth place with 51 and 48 complaints, respectively.

Some of the common complaints involving CVS Health included dispensing medication to the wrong patient, discussing private health information too loudly at the pharmacy counter, and faxing medical information to the wrong recipient.
A 2013 complaint stated that a CVS pharmacy might have delivered a patient’s medication to the house without a privacy bag, meaning that the patient’s protected health information was allegedly disclosed to unauthorized individuals.
In that case, the Office for Civil Rights required that the CVS employee be retrained and a risk assessment be conducted and recorded.
Another complaint made against CVS in 2014 described a situation where a patient’s prescription information was allegedly discussed loudly enough for other patients in line behind him to hear.
The Office for Civil Rights sent the pharmacy materials about privacy rule provisions related to HIPAA’s Incidental Uses and Disclosures, Reasonable Safeguards, and the Minimum Necessary requirements.
“You are encouraged to review these materials closely and to share them with your staff as part of the HIPAA training you provide to your workforce,” the letter read. “You are also encouraged to assess and determine whether there may have been an incident of noncompliance as alleged by the complainant in this matter, and if so, to take the steps necessary to ensure such noncompliance does not occur in the future.”
CVS Health spokesman Mike DeAngelis told Pharmacy Times that the company is dedicated to protecting patients’ health information.
“We have established rigorous privacy policies and procedures throughout the company to safeguard patient information,” DeAngelis said. “We also continue to invest in technologies to provide comprehensive safeguards for customer and patient information.”
He explained that CVS Health’s 200,000 employees working in pharmacies, retail medical clinics, call centers, and other facilities go through formal training on compliance with privacy policies and procedures when they are hired, plus annual training thereafter.
CVS employees also receive job-specific training on privacy practices “on a regular basis.”
“We are never complacent about privacy matters, and we constantly strive to address and reduce disclosure incidents by enhancing our training and safeguards,” DeAngelis said. “Whenever we discover that our privacy policies or procedures have not been properly followed, we take corrective action such as retraining the employees involved. Those who intentionally violate our privacy requirements and safeguards are subject to the termination of their employment.”