While understanding privacy law and how it should be implemented is important, it is equally important to know how such laws are enforced and investigated by the U.S. Government. The following case explains the corrective action the Office of Civil Rights under the Department of Health and Human Services was forced to take ensure compliance of a covered entity that had significantly and repeatedly violated the Privacy Rule of HIPAA.

Following reports of improper disposal of personal health information (PHI) the OCR launched an investigation into the information practices of CVS Entities in September 2007. Their review found the following:

Between [...]