On February 18, 2009, the Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) announced that they had separately entered into agreements with CVS Caremark Corporation to settle charges that the company failed to protect sensitive medical and financial information of its customers and employees.  

The agencies opened their investigations as a result of media reports from around the country that certain CVS pharmacies were disposing of various (non-electronic) items containing sensitive financial and medical information into industrial dumpsters that were accessible by the public.  

Included among the items thrown away as trash were pill bottles containing protected health information (PHI) (e.g., patient names, medication, and dosages); computer order information; employment applications, including social security numbers; payroll information; credit card and insurance card information; account numbers; and drivers’ license information.  

The HHS investigation—led by the Office of Civil Rights (OCR)—focused on possible violations by CVS pharmacies of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. HIPAA requires pharmacies (among other HIPAA-covered entities) to apply appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, even during disposal. OCR’s review of CVS’ practices indicated that CVS failed to:  

  • implement policies and procedures that were designed reasonably and appropriately to safeguard PHI during the disposal process;  
  • provide adequate training to employees regarding disposal of PHI; and  
  • maintain a sanctions policy for employees who failed to comply with PHI disposal policies and procedures.  

To settle the matter, CVS agreed to pay a $2.25 million fine and comply with a Corrective Action Plan (CAP) that applies to all CVS retail pharmacies, including 6,300 stores.  

The CAP also requires, among other things, internal monitoring of compliance with the new policies and procedures; engaging a qualified, independent third party to conduct assessments of CVS compliance with the CAP requirements and provide reports to HHS; internal reporting procedures that would require employees to report all violations of the new policies and procedures; and compliance reports submitted to HHS for the term of the CAP (three years).  

The FTC’s complaint focused on possible violations of federal consumer protection laws that prohibit unfair and deceptive practices. In particular, CVS’ privacy policy represented that “CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information (“Protected Health Information” or “PHI”).” This representation would have indicated to consumers that CVS implemented reasonable and appropriate safeguards to protect personal information against unauthorized access. However, the FTC’s investigation revealed that CVS failed to:  

  • implement policies and procedures to dispose of the information securely, including,
  • but not limited to, rendering the information unreadable in the course of disposal;  
  • adequately train employees to dispose of information securely;  
  • use reasonable measures to assess compliance with established policies and procedures for disposal of the information; and  
  • employ a reasonable process for discovering and remedying risks to the information.  

Based on these failures, the FTC alleged that the privacy policy misrepresented CVS’ security practices and, as a result, the privacy policy statement was deceptive and the security practices were unfair.  

Under the FTC’s Consent Order, CVS is prohibited from making future misrepresentations of the company’s security practices. It also must, among other things, implement a comprehensive information security program designed to protect the security, confidentiality, and integrity of the personal information it collects from consumers and employees; obtain a biennial audit (for 20 years) by a qualified, independent third party to ensure that the security program meets the standards of the Consent Order; and satisfy record-keeping and compliance reporting obligations.  

The settlements are significant because they mark the first time that HHS and the FTC have worked together to investigate and resolve privacy and security charges brought against a health care provider and to challenge the security of employee data. The resolution agreement reflects HHS’ efforts to step up enforcement of the HIPAA Privacy and Security Rules, and the FTC settlement demonstrates the FTC’s continued interest in enforcing reasonable information security practices.  

The dual settlements further suggest that health care providers will not be treated differently from other companies holding consumers’ sensitive medical and financial information simply because they are also subject to the HIPAA Privacy and Security Rules.  

Accordingly, we expect that HHS and the FTC will continue to collaborate on future investigations of privacy and security violations by HIPAA-covered entities (i.e., most health care providers, health plans, and health care clearinghouses).  

Coincident with the resolution of its enforcement action against CVS, HHS posted a new FAQ addressing HIPAA Privacy Rule requirements concerning disposal of PHI.

HHS’s press release and links to the CAP and the new FAQ are available here.