Walgreens Improper PHI Dumping Case Closed by OCR After 9 Years

Ten years ago, WTHR 13 conducted an investigation into the improper disposal of sensitive information by pharmacies. The investigation was conducted following a robbery that took place at the home of an Indiana resident. A drug addict targeted the individual knowing that she had pain medication. That information was obtained from a pharmacy dumpster.

The investigation involved reporters checking the dumpsters behind a number of pharmacies in Indiana. The reporters discovered bags of trash, many of which contained sensitive information such as prescription details, names, addresses, and phone numbers. Reporters also discovered that in some cases, credit card details were also printed on documents discarded with regular trash.

The investigation was first conducted on Walgreens, although it was later expanded to a number of other pharmacy chains including CVS and Rite Aid. The investigation was expanded to 12 states.

Initially reporters were told by Walgreen’s representatives that the improper dumping of sensitive information was not company policy and occurred in isolated incidents. However, reporters discovered this was a nationwide problem.

The investigation prompted the Department of Health and Human Services’ Office for Civil Rights to investigate the claims in 2007. When Protected Health Information is no longer required, it must be securely destroyed. All PHI must be rendered “unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle.”

OCR investigators determined that Health Insurance Portability and Accountability Act Rules had been violated by CVS and Rite Aid. In 2009, CVS settled a case with the Federal Trade Commission for “failing to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers,” and settled the HIPAA violation charges with OCR for $2.25 million. In 2010, Rite Aid settled a case with OCR for improper disposal of PHI and agreed to pay a financial penalty of $1 million.

However, no settlement was agreed with Walgreens, in spite of the evidence collected by WTHR 13 reporters that HIPAA Rules were violated when PHI was disposed of improperly.

Recently, OCR confirmed that the case against Walgreens has been closed, almost ten years after the investigation began. No financial penalty was deemed appropriate as Walgreens took immediate action to correct the problem. The case was resolved by voluntary compliance.

In a letter sent to WTHR, Rachel Seeger, Senior Advisor for Public Affairs and Outreach at OCR, said that by November 2006 Walgreens had ensured that all of the dumpsters used by its staff were locked to prevent improper access. She also said “Walgreens provided proof of the voluntary compliance actions it took immediately, and on an ongoing basis.”

Those actions included revising and strengthening disposal policies and “making dumpster or gate locks available through its distribution centers for those Walgreens stores that did not have self-locking dumpsters.” Further training was also provided to staff members on correct disposal procedures.

Walgreens actions were deemed to be appropriate and solved all of the problems raised by the WTHR report, and no financial penalty was deemed to be appropriate.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.