For more than seven years the grocery chain, Safeway, has been improperly disposing of confidential patient records from its pharmacies according to California prosecutors. In 2012 and 2013 state regulators conducted inspections of the waste from dozens of stores and found repeated examples of improper disposal of hazardous items and confidential material over the course of its 18-month investigation. Some of the material discarded included patient health records and personally identifiable information.
Under state laws – and also required for HIPAA compliance – all Protected Health Information must be disposed of securely and be permanently destroyed or otherwise rendered unreadable. Safeway had repeatedly violated these laws repeatedly at a number of its stores.
Safeway was also found to have violated waste disposal regulations by failing to segregate hazardous waste. Pharmaceutical products were not destroyed, toxic materials were disposed of in regular waste and aerosols, batteries, electronic equipment and flammable liquids were all placed in dumpsters destined for landfill sites.
Inspectors reported numerous violations at 40% of the stores it inspected, which was only a small percentage of the 500 stores operated by the chain in California.
Safeway Issued $10M HIPAA Fine for Improper Dumping
The Health Insurance Portability and Accountability Act and its subsequent updates have helped to introduce minimum standards in healthcare to protect the privacy of patients. Individual states can demand higher standards than those required by HIPAA and California has exercised this right, with Safeway also found to have violated the California Confidentiality of Medical Information Act.
The Alameda District Attorney, Kenneth Mifsud, released a statement saying “The inspections revealed that Safeway was routinely and systematically sending hazardous wastes to local landfills, and was failing to take measures to protect the privacy of their pharmacy customers’ confidential medical information.” He went on to say “There’s a risk of identity theft committed by dumpster divers, and unfortunately by some members of staff.”
It is impossible to calculate the number of potential victims, but it is highly probable given the duration that the improper dumping was allowed to continue that many patients confidential information has been viewed.
Safeway has now settled the case for $9.87 million although those fines were for unfair business claims and its numerous environmental violations. Safeway must also immediately correct all issues and “maintain, and enhance, as necessary” its policies covering the correct segregation and disposal of waste, and ensure that these policies are put into practice. It must also ensure that the staff is trained on correct waste disposal, that they have the means to separate waste and that it is disposed of correctly in future across all 500 of its California stores.