Top Pharmacy Chains Revealed as Repeat HIPAA Violators

CVS Health, Walgreens, Walmart, Express Scripts, and Rite Aid pharmacies all appear in a list of the top 10 most frequent violators of the Health Insurance Portability and Accountability Act (HIPAA).

Between 2011 and 2014, the US Department of Veterans Affairs received the greatest number of privacy complaints (220) that led to corrective action or “technical assistance” from the Office for Civil Rights within the US Department of Health and Human Services, which is responsible for enforcing HIPAA.

CVS Health was second with 204 complaints, followed by Walgreens with 183, according to a ProPublica analysis that examined federal data to uncover HIPAA violations.

Meanwhile, Walmart had the fifth-most privacy complaints (71), while Express Scripts and Rite Aid followed in seventh and eighth place with 51 and 48 complaints, respectively.

Some of the common complaints involving CVS Health included dispensing medication to the wrong patient, discussing private health information too loudly at the pharmacy counter, and faxing medical information to the wrong recipient.

A 2013 complaint stated that a CVS pharmacy might have delivered a patient’s medication to the house without a privacy bag, meaning that the patient’s protected health information was allegedly disclosed to unauthorized individuals.

In that case, the Office for Civil Rights required that the CVS employee be retrained and a risk assessment be conducted and recorded.

Another complaint made against CVS in 2014 described a situation where a patient’s prescription information was allegedly discussed loudly enough for other patients in line behind him to hear.

The Office for Civil Rights sent the pharmacy materials about privacy rule provisions related to HIPAA’s Incidental Uses and Disclosures, Reasonable Safeguards, and the Minimum Necessary requirements.

“You are encouraged to review these materials closely and to share them with your staff as part of the HIPAA training you provide to your workforce,” the letter read. “You are also encouraged to assess and determine whether there may have been an incident of noncompliance as alleged by the complainant in this matter, and if so, to take the steps necessary to ensure such noncompliance does not occur in the future.”

CVS Health spokesman Mike DeAngelis told Pharmacy Times that the company is dedicated to protecting patients’ health information.

“We have established rigorous privacy policies and procedures throughout the company to safeguard patient information,” DeAngelis said. “We also continue to invest in technologies to provide comprehensive safeguards for customer and patient information.”

He explained that CVS Health’s 200,000 employees working in pharmacies, retail medical clinics, call centers, and other facilities go through formal training on compliance with privacy policies and procedures when they are hired, plus annual training thereafter.

CVS employees also receive job-specific training on privacy practices “on a regular basis.”

“We are never complacent about privacy matters, and we constantly strive to address and reduce disclosure incidents by enhancing our training and safeguards,” DeAngelis said. “Whenever we discover that our privacy policies or procedures have not been properly followed, we take corrective action such as retraining the employees involved. Those who intentionally violate our privacy requirements and safeguards are subject to the termination of their employment.”

In response to a request for comment, Walgreens spokesman James W. Graham highlighted a statement in ProPublica’s report that he said “put the numbers in perspective.”

The point Graham emphasized was that the companies with the most HIPAA violations were health care providers with many locations and millions of patients.

“Walgreens takes the privacy and security of our customers’ information very seriously,” he added. “Walgreens thoroughly investigates any concerns about privacy regardless of how it is brought to our attention and will voluntarily improve practices if necessary. We appreciate the feedback and expertise that the Office for Civil Rights provides and work with [it] to ensure that our customers are protected.”

Express Scripts spokeswoman Jennifer Leone Luddy told Pharmacy Times that the company has never been sanctioned by the Office for Civil Rights in relation to a HIPAA complaint.

“The vast majority of the allegations didn’t impact more than one person, and they typically were the result of a member changing his/her mailing address without notifying us,” Luddy told Pharmacy Times.

ProPublica investigators determined that the Office for Civil Rights has made little effort in taking meaningful action against repeat violators.

Since 2009, the agency has reported fewer than 30 cases where a violator has agreed to pay fines.

A previous ProPublica report also found that regulators rarely punish small-scale violators involving a breach of one or 2 patients’ private health information. Experts told ProPublica that cases involving one bad apple at a company are to be expected, but repeated violations concerning the same kind of privacy issue may point to larger organizational problems.

No documents on Express Scripts’ privacy complaints are publicly available through ProPublica’s online database, which allows patients to find out if their hospital, clinic, pharmacy, or health insurer has been involved in a patient privacy complaint, breach, or violation. However, Luddy maintained that all allegations associated with Express Scripts had been resolved or dismissed by the Office for Civil Rights as being unsubstantiated.

“We implement strict privacy protocols, conduct regular HIPAA compliance training for all employees, and dedicate significant resources to protecting our patients' privacy and to ensuring full compliance with HIPAA regulations,” she said.

Luddy echoed some of the Walgreens spokesman’s statements—namely, that it is not uncommon for large health care companies to receive inquiries from the Office for Civil Rights.

“Express Scripts processed more than 5 billion prescriptions over this 4-year window and engaged in millions more interactions with pharmacies, physicians, and patients that all require full compliance with HIPAA,” Luddy said.

Spokespeople for Walmart and Rite Aid pharmacies have not yet responded to Pharmacy Times’ request for comment.