The U.S. Department of Health and Human Services and the Federal Trade Commission announced today that CVS will pay the U.S. government a $2.25 million settlement and take corrective action in connection with the government finding that CVS had violated the HIPAA Privacy Rule by failing to safeguard identifying information during disposal.  CVS Caremark Corp., the parent company of the pharmacy chain, also signed aconsent order with the FTC to settle potential violations of the FTC Act.

The settlement, which applies to all of CVS’s more than 6,000 retail pharmacies, follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential HIPAA violations after media reports alleged that patient information maintained by the pharmacy chain was being disposed of in industrial trash containers outside selected stores that were not secure and could be accessed by the public.  At the same time, the FTC opened an investigation of CVS.  OCR and the FTC conducted their investigations jointly. Among other things, the OCR and the FTC found that CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and that it failed to adequately train employees on how to dispose of such information properly.

Click here to review the HHS Resolution Agreement and Corrective Action Plan .  The OCR has also posted new FAQs that address requirements for disposal of protected health information.