Rite Aid has agreed to pay $1 million in fines to resolve allegations that it violated the Health Insurance Portability and Accountability Act by disposing of pharmaceutical bottles and prescription information into publicly accessible dumpsters near Rite Aid stores. Under the Department of Health and Human Services’ resolution agreement, released on July 27, Rite Aid must implement a three-year corrective action program, which includes the adoption of revised policies and procedures concerning the disposal of sensitive health-related information, employee training programs related to the revised policies and procedures and penalties for employees who fail to comply with them. In addition to the HHS resolution agreement, Rite Aid has entered into a separate but related settlement with the FTC to resolve allegations that the company failed to live up to promises made in its privacy policy that it would protect customers’ sensitive medical information. The FTC settlement will require Rite Aid to implement a comprehensive information security program and obtain independent audits of the program for twenty years.

Resolution Agreement between RiteAid Corporation and the Department of Health and Human Services Download PDF

In re RiteAid Corporation, FTC File No. 072-3121, Agreement Containing Consent Order Download PDF

Editor’s Note: The settlement is discussed further on the Proskauer Privacy Law blog.