While understanding privacy law and how it should be implemented is important, it is equally important to know how such laws are enforced and investigated by the U.S. Government. The following case explains the corrective action the Office for Civil Rights under the Department of Health and Human Services was forced to take ensure compliance of a covered entity that had significantly and repeatedly violated the Privacy Rule of HIPAA.
Following reports of improper disposal of personal health information (PHI) the OCR launched an investigation into the information practices of CVS Entities in September 2007. Their review found the following:
- Between July 2006 and May 2007 some retail CVS stores placed paper records containing personal health information in open dumpsters where they could be accessed by unauthorized individuals.
- The policies and procedures of CVS Entities prior to November 2006 were not adequate to ensure the security of PHI
- CVS did not have the appropriate administrative safeguards in place, such as disciplinary action or sanctions policies for members violating privacy and security policies
- Between April 2003 and November 2006, the training given to employees regarding compliance with the Privacy Rule of HIPAA was insufficient to ensure proper destruction of PHI
In January 2009 a resolution agreement was reached with the following terms:
- Each CVS entity must designate a Compliance Representative that is familiar with the Privacy Rule in order to ensure compliance with HIPAA and the Corrective Action Plan required by the agreement. The Compliance Representative is in charge of designing or improving policies, procedures, training and internal controls.
- CVS must pay the Department of Health and Human Services $2,250,000 in penalties
- CVS Entities must agree to implement the Corrective Action Plan outlined in the Resolution Agreement
The Corrective Action Plan (CAP) for CVS entities involved a number of changes in oversight, policy and training to ensure the adequate protection of PHI. Oversight of implementation of the CAP lasts three years from the effective date of the agreement.
The CAP required the following:
- Development, Improvement and maintenance of privacy policies and procedures that comply with the Privacy Rule of HIPAA and any other relevant privacy regulations
- CVS Entities must submit revised policies within 90 days of the agreement and implement the policies within 60 days of OCR approval
- Policies and procedures must be reviewed annually by the Compliance Representative
- Physical and Administrative safeguards to allow the proper disposal of PHI must be implemented
Employee Policies and Training
- All employees accessing personal health information must receive a copy of the new policies and sign a written agreement saying they understand and agree to abide by the Privacy Rule
- Employees that fail to comply with the Privacy Rule must receive disciplinary action
- Employees that have access to PHI must receive training appropriate to their level of access regarding proper handling of PHI, including its disposal, as well as the sanctions policies for non-compliance. Training should take place within 30 days of employment. Employees are prohibited from handling PHI before completing their privacy training
- A written or electronic account of employee training must be made available to the Office for Civil Rights for inspection
- Employees must verify in writing that they have received training and certification must be submitted to the relevant CVS entity within 10 days of certification
- Training material must be reviewed annually by the Compliance Representative
- CVS Entities must develop procedures for internal monitoring of compliance to be approved by the OCR
- CVS Entities will use a third party assessor to conduct evaluations of compliance with the Privacy Rule and the CAP. The Assessor must file reports with the OCR and Compliance Representative periodically
- The Assessor, Compliance Representative and all CVS Entities must maintain all paper’s related to the Assessor’s reports for inspection upon request by the OCR
- CVS entities must develop and internal reporting procedure for approval by the OCR which requires employees to report violations of the CAP to the Compliance Representative as soon as they become aware of the problem
- Upon receiving an internal report, the Compliance Representative must investigate the problem immediately
- If the investigation determines that a violation has occurred a written report describing the violation and the actions taken by the CVS entity must be submitted to the Assessor and the OCR
Within 150 days of OCR approval of the policies and procedures, the Compliance Representative will file an Implementation Report that includes the following information:
- A written attestation from the Compliance Representative stating that CVS is in full compliance with the Privacy Rule and the CAP to the best of their knowledge
- A written attestation from the Compliance Representative stating that the workforce with access to PHI have received their initial privacy training certification
- A copy of all training materials and a summary of the training program including length, topics and schedules
- A written attestation from the Compliance Representative with the contact information for all locations and retail pharmacies stating that all locations are compliant with the CAP within the best of their knowledge
- A written attestation from the Compliance Representative stating they have reviewed the Implementation Report and believe the evaluation to be accurate
Periodic reports must also be filed once a year to allow ongoing oversight. The periodic reports require similar information regarding training materials and compliance officer attestations. They also require a summary of all engagement between CVS Entities and the Assessor (ie: financial audits, compliance program engagements) and a summary of any compliance violations committed by a workforce employee. Furthermore, CVS is responsible for maintaining all documents related to the CAP for six years.
Significance of the CVS Enforcement Case
The CVS enforcement case reinforced several important privacy issues:
- All employees handling PHI must receive the proper training in their privacy obligations under HIPAA and other privacy laws. Furthermore they must be held accountable for any violations that occur
- Data destruction requires as much attention to privacy concerns as data in other parts of the data life cycle.
- Though most individuals PHI was not compromised through CVS’s improper disposal of data, it is the potential for such unauthorized use, access, or disclosure which is the real problem being addressed in the Corrective Action Plan.
The U.S. Government is serious about HIPAA enforcement. Entities handling PII must take the necessary steps to ensure compliance or be faced with much stronger requirements, oversight and costs.
CIPP/G Candidate Preparation
In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:
- HIPAA (I.B.a.i)