Walgreens HIPAA Violations Do Not Result in Financial Penalty

Walgreens HIPAA violations discovered by reporters from WTHR 13 in 2006 have not resulted in any punitive action being taken by the Department of Health and Human Services’ Office for Civil Rights (OCR). According to a recent WTHR 13 report, the case against Walgreens has now been closed.

Potential Walgreens HIPAA violations were uncovered by WTHR 13 reporters in 2006 following an investigation into the suspected dumping of protected health information (PHI) in regular trash. The investigation was started after a report was received from an Indiana resident who had been robbed at her home by a drug addict. The woman was targeted because she was known to have been provided with prescription pain medication. The robber had obtained her personal information and prescription details from a dumpster outside a pharmacy.

The investigation started in Indiana, although it was later expanded to 12 states. The reporters discovered numerous pharmacies were disposing of PHI in dumpsters that could be accessed by members of the public: A violation of HIPAA Rules.

Walgreens was not the only pharmacy that was discovered to be improperly disposing of PHI. Rite Aid and CVS were similarly found to have breached HIPAA Rules by failing to render PHI unreadable or indecipherable before disposal.

A complaint was filed with the Office for Civil Rights and an investigation was launched in 2007. In addition to Walgreens, HIPAA violations were discovered to have occurred at CVS and Rite Aid.

The case against CVS was eventually settled and resulted in the pharmacy chain paying a settlement of $2.25 million to the OCR. The case against Rite Aid similarly resulted in a settlement. $1 million was paid to resolve the case. However, no settlement was reached regarding the Walgreens HIPAA violations.

The OCR has recently closed the Walgreens case, although it has taken almost 10 years to do so.  After enquiring about the status of the case against Walgreens, WTHR 13 was informed that no action has been taken because the case was resolved through voluntary compliance. Walgreens took prompt action to change its policies and procedures and ensured that PHI was disposed of in accordance with HIPAA Rules.

Walgreens ensured that all dumpsters used by its pharmacies were fitted with locks to ensure PHI could not be accessed. When it was not possible to lock dumpsters, gate locks were fitted to prevent access. Walgreens also ensured that staff were trained on HIPAA Rules covering the disposal of PHI. Because of these actions, OCR believed all of the issues that were raised in the complaints were satisfactorily resolved. A financial penalty was therefore not appropriate.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news