On February 18, 2009, the U.S. Department of Health and Human Services (“HHS”) announced that CVS will pay $2.25 million and implement an extensive corrective action plan to settle a HIPAA privacy case involving the improper disposal of patient information.  

The CVS investigation, which was a joint effort of the HHS Office of Civil Rights (“OCR”) and the Federal Trade Commission, was prompted by media reports that patient information maintained by CVS was being disposed of in industrial trash containers outside CVS pharmacies that were not secured and were easily accessible by the public.  

Robinsue Frohboese, acting director of OCR, stated that it is the hope of OCR “that this agreement will spur other health organizations to examine and improve their privacy protections for patient information during the disposal process.” To that end, OCR issued Frequently Asked Questions About the Disposal of Protected Health Information (“FAQ”). The FAQ emphasizes the need for policies and procedures addressing the disposal of patient information and employee training regarding patient information disposal. While no particular disposal method is required, each covered entity must review its own circumstances to determine what steps are reasonable.  

The announcement of the CVS settlement and the concurrent issuance of the FAQ indicates that HHS will continue to closely monitor this area of HIPAA compliance. All covered entities should review the FAQ to ensure their organization’s compliance. Further, the CVS settlement has been made public and is a resource for hospitals with institutional pharmacies to examine how HHS expects CVS pharmacies specifically to handle patient information disposal.