CVS will pay the government $2.5 million and toughen their practices so that the privacy of patients is not violated. The settlement which applies to all CVS retail pharmacies is in response to the HHS Office of Civil Rights (OCR) and their extensive investigation concerning HIPAA violations. In a coordinated action, CVS also signed a consent order with the FTC to settle potential violations of the FTC Act.
OCR opened an investigation in response to media reports that alleged that patient information maintained by the pharmacy chain was being disposed of in industrial trash containers outside selected stores and were not secure and could be accessed by the public. According to the information, CVS also failed to adequately train employees on how to dispose of such information properly. At the same time, FTC also opened an investigation of CVS and this resulted in both agencies working to coordinate the investigation.
Under the HHS resolution agreement, CVS agreed to pay the $2.25 million and implement a robust corrective action plan. CVS will also actively monitor its compliance and the FTC consent order. The monitoring requirement specifies that CVS must engage a qualified independent third party to assess CVS compliance and then submit reports to the federal agencies. The HHS corrective action plan will be in place for three years while the FTC plan will be monitored for 20 years.