Leading pharmacy chains report multiple HIPAA violations

https://www.nuemd.com/news/2016/02/16/leading-pharmacy-chains-report-multiple-hipaa-violations

In recent years, the Department of Health and Human Services’ Office of Civil Rights has ramped up its efforts to enforce the privacy rule of the Health Insurance Portability and Accountability Act of 1996. The privacy rule concerns the protection of patient confidentiality, and enforcement of the rule by healthcare providers has come under increased scrutiny from the OCR due to the increased number of digital platforms, such as electronic health records, that make a privacy violation more likely. Penalties for violations of HIPAA usually include a substantial fine and mandatory retraining sessions. The OCR recently announced that 2016 will feature the debut of a new system of routine audits for major healthcare providers, a process that is set to begin early this year, according to Law360.  

Major pharmacy chains are significant HIPAA offenders
According to a recent article from Pharmacy Times, two of the nation’s leading pharmacy chains – CVS and Walgreens – have been at the center of multiple HIPAA violation complaints during a period spanning from 2011 to 2014. The data was accrued from a ProPublica investigation into federal records pertaining to HIPAA. The research revealed that CVS topped Walgreens with a reported 204 complaints – Walgreens was reported to the OCR 183 times during the period. Other pharmacy chains also made the top 10 list of offenders, with Walmart being reported 71 times and Rite Aid pharmacy receiving 48 complaints of misconduct.

As Pharmacy Times detailed, some of the most common reported infractions included pharmacy staff members speaking too loudly, compromising patient confidentiality, and giving medication to the wrong patients. 

A majority of the complaints involved minor breaches, involving just one individual, and subsequently the response from the OCR was cautionary in nature. In each case, the OCR responded by sending letters to the organizations, requesting that they review HIPAA mandates and enforce HIPAA compliance training for all staff. CVS responded to the investigation by asserting that as a company it takes patient confidentiality extremely seriously. Spokesman for CVS Mike DeAngelis was quoted by Pharmacy Times. 

“We are never complacent about privacy matters, and we constantly strive to address and reduce disclosure incidents by enhancing our training and safeguards. Whenever we discover that our privacy policies or procedures have not been properly followed, we take corrective action such as retraining the employees involved. Those who intentionally violate our privacy requirements and safeguards are subject to the termination of their employment,” he said.

Executives from Walgreens responded in a similar way, emphasizing that patient confidentiality remains a paramount concern for the company.

Is the OCR too lax?
Pharmacy Times detailed that since 2009, little, if any, action has been taken against large organizations with multiple complaints of HIPAA violations. The ProPublica investigation found that less than 30 incidences had seen a company pay out a financial penalty. This is because the OCR generally refuses to punish organizations for violations that include two patients or fewer. The multiple complaints that Walgreens and CVS received, however, will likely have some critics wondering if the OCR is too lax in its approach. Other commentators, however, might suggest that the numbers are relative and that a couple of hundred complaints in a three-year period for a large organization isn’t particularly significant.

Large hospitals pay out
In contrast to the mild response that CVS and Walgreens both received from the OCR, a number of large hospitals have recently been slapped with enormous financial penalties for more serious transgressions. A notable example is the $750,000 fine that University of Washington Medicine had to pay out in December 2015. According to the HHS, the organization was fined after a large patient security breach, which saw over 90,000 patient records compromised by malicious malware that was opened in an email by a nurse. The records contained highly sensitive information such as billing records and Social Security numbers.

It’s clear that the response from the OCR was far stricter, given the sheer number of patients who were impacted by the violation. In addition to the substantial financial penalty, UWM was required to implement a new plan of action to ensure that HIPAA violations will not occur in the future. 

Filed under: General Problems