CVS Health is among hundreds of covered entities that has violated the Health Insurance Portability and Accountability Act (HIPAA) “repeatedly” from 2011 to 2014, according to a startling new report.
ProPublica published the report on its website, citing numerous instances in which the country's largest chain pharmacy failed to protect the privacy of its patients. From 2011 to 2014, CVS customers had filed numerous complaints against the pharmacy pertaining to privacy violations. One customer had his cancer medication delivered to his neighbor's house, and another reported that a pharmacist announced his medical information in front of other customers.
So, what happened CVS Health for repeatedly violating HIPAA? According to the report, the Office for Civil Rights (OCR) – the branch of the Department of Health Human Services that's responsible for enforcing HIPAA – reminded the pharmacy of its duty to protect customers' privacy under HIPAA. CVS pledged that it would take additional steps to ensure compliance with all patient privacy laws, but other than a $2.25 million penalty for improper disposal of PHI, the pharmacy did not face additional fines or penalties.
The OCR has the power to fine covered entities up to $50,000 for each violation of HIPAA, with a yearly cap of $1.5 million. In extreme cases, it can even file criminal charges against offenders, although cases such as this are few and far between.
The report goes on to reveal that more than 220 incidents had occurred from 2011 to 2014 involving HIPAA violations. While CVS health was on the forefront of these violations, other covered entities noted in the report include Kaiser Permanente, Walgreens, Department of Veterans Affairs, and Walmart. CVS Health responded to the report saying it “is strongly committed to protecting the privacy of our patients’ health information,” CVS spokesman Mike DeAngelis wrote. “We have established rigorous privacy policies and procedures throughout the company to safeguard patient information.” Neither Walmart nor any of the other covered entities mentioned in the report have yet to respond.
Pharmacies often believe they are immune to HIPAA simply because they don't provide direct healthcare services. Instead, they simply fill prescription orders created by doctors and physicians. But HIPAA views pharmacies in the same manner as doctors, categorizing them as covered entities. And like all covered entities, they must abide by the HIPAA Privacy, Security and Breach Notification Rules.