Skip Navigation

CVS Settlement Agreement of $2.25 Million for HIPAA Violations

Bookmark and Share

On February 18, 2009 WTHR in Indianapolis reported that the “Prescription Privacy” investigation it launched in 2006 has resulted in a $2.25 million settlement agreement between the U.S. Department of Health and Human Services (HHS) and CVS. 

The HHS and Office of Civil Rights investigation of CVS revealed serious HIPAA violations including failure to safeguard protected health information during the disposal process and inadequate training and compliance of employees with its disposal policies and procedures. In addition to the $2.25 million settlement, CVS is required to put together an action plan to protect patient information from being improperly discarded. Federal regulators are utilizing this settlement as a way to promote the protection of healthcare information. 

In 2006, WTHR found improperly discarded private health care records in unsecure dumpsters at CVS pharmacies in more than 10 cities across the U.S. including Woonsocket, R.I., where the CVS headquarters is located. As a result, CVS is now paying the highest settlement for HIPAA violations to date. In July, 2008 Providence Health & Services paid $100,000 due to lost and stolen computers containing private health information. 

HIPAA violation investigations and fines are continuing to have a negative impact on non-compliant companies. Currently, cases are still pending for Walgreens before the Indiana Board of Pharmacy. CVS and Walgreens could benefit from contracting a secure information destruction company from an ethical, financial and public relations viewpoint.

 Full Article