Case Studies and Examples

The following case studies show how the laws discussed in this chapter are used. These case studies are real-world examples of how regulatory agencies apply laws and rules to protect PHI.

OCR Enforcement Information

The OCR posts HIPAA Privacy and Security Rule enforcement news on its webpage, as well as summaries of enforcement activities. It also posts monthly statistics about its activities, as well as case examples and resolution agreements for HIPAA violations.

The OCR enforcement activities webpage can be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html.

HIPAA and Federal Trade Communications Act

Sometimes an act can touch several compliance laws. In 2006, an Indianapolis, Indiana, television news station conducted an investigative report on prescription privacy. As part of its report, the news station looked at the contents of pharmacy dumpsters to see if pharmacies properly disposed of patient information. It checked the contents of unsecured, unlocked dumpsters. There was nothing stopping the public from sifting through these dumpsters.

The news station reported that CVS pharmacies were throwing sensitive personal information in the trash. CVS, one of the largest pharmacy retailers in the United States, has more than 6,000 stores. The investigation found that CVS was throwing away unredacted pill bottles that included patient names, addresses, physician names, and the names of medication. CVS also threw away medication instruction sheets containing personal information, as well as pharmacy receipts with credit card and health insurance account numbers. All of this information was unredacted PHI. Other media outlets reported that CVS stores across the United States also were improperly disposing of PHI.

Information about the “Prescription Privacy” investigative report can be found at https://www.wthr.com/article/news/investigations/13-investigates/part-one-prescription-privacy/531-811d33f4-344c-4614-922d-a9e75a5fa1b4.

At the time, CVS’s privacy policy stated: “CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information (‘Protected Health Information’ or ‘PHI’). PHI is information about you, including basic information that may identify you and relates to your past, present, or future health or condition and the dispensing of pharmaceutical products to you. We take this responsibility very seriously.”

CVS disposal practices were investigated by the HHS and the Federal Trade Commission (FTC). It was the first time that HHS and the FTC worked together on an investigation. HHS, through the OCR, investigated CVS for violations of the HIPAA Privacy Rule and found that CVS violated the Privacy Rule in several ways. Its review indicated that CVS did not properly safeguard PHI during the media disposal process. It also found that CVS did not properly train its employees on how to dispose of PHI, or have a sanctions policy.

The FTC investigated CVS for violations of the FTC Act. It alleged that CVS made false and deceptive statements about its privacy policies, promised customers that it would protect unauthorized access to personal information, and did not actually do this. These misleading types of statements are illegal under the FTC Act.

CVS responded that there was no verification of the media reports. However, it settled charges with the FTC and HHS to resolve the cases. The FTC consent agreement required CVS to create a comprehensive information security program to protect the personal information that CVS collects from consumers and employees. The order also required CVS to get an independent audit of its security program every 2 years until 2029. In addition, CVS may not make any misrepresentations about the company’s security practices.

The FTC complaint and consent agreement can be found at http://www.ftc.gov/enforcement/cases-and-proceedings/cases/2009/06/matter-cvs-caremark-corporation-corporation. (Look for the February 18, 2009, entries.)

Under the HHS resolution agreement, CVS agreed to pay $2.25 million to settle all claims. It also agreed to follow a corrective action plan that required it to create policies to comply with the HIPAA Privacy Rule. To do so, it must create policies and procedures to safeguard PHI during disposal and establish an employee training program. CVS also must create an employee sanctions policy to discipline employees who fail to follow the Privacy Rule. The HHS resolution agreement also requires independent review of CVS compliance. CVS must be reviewed each year. The agreement requires 3 years of monitoring. The HHS resolution agreement and corrective action plan can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresolutionagreement.html.