CVS to pay $2 million over alleged HIPAA violations
Capping a first-of-its kind joint investigation by the Federal Trade Commission and the HHS Civil Rights Office, drugstore and pharmacy benefits management giant CVS Caremark has agreed to pay $2.25 million in a settlement agreement over alleged deceptive and unfair trade practices and alleged violations of the privacy protections under the Health Insurance Portability and Accountability Act of 1996, the two federal agencies said in news releases.
The investigation of CVS began after news media in several states reported finding prescription drug and other personal information had been dumped into unsecured trash containers at its pharmacies, according to an FTC statement. CVS Caremark had run afoul of FTC deceptive business practices guidelines by claiming "CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information,” the FTC statement said. The FTC also alleged the drug seller’s security practices were unfair. Under the FTC settlement, the company has agreed to undergo an independent audit of its security program every two years for the next 20 years.
Under the HHS agreement, CVS agreed to pay what the government describes as “a $2.25 million resolution amount,” to implement a corrective action plan that requires employee training and employee sanctions for noncompliance, and to “engage an outside independent assessor to evaluate compliance for three years.”