The Federal Trade Commission's recent case against CVS Caremark Corp.'s allegedly cavalier handling of sensitive personal medical information rested on the pharmacy chain's boastful claims to the contrary. For hospitals and other health organizations, the case holds a wealth of lessons and unleashes a posse of new enforcers in the fight to protect medical information.
"The FTC stepping in signals a shift in how HIPAA is going to be enforced, and it is being driven by an agency that cares very much about identity theft," said Paul Proctor, an analyst at Stamford, Conn.-based Gartner Inc.
Earlier this year CVS Caremark Corp., parent company of the nation's largest pharmacy chain, agreed to settle Federal Trade Commission (FTC) charges that it failed to take "reasonable and appropriate measures to protect sensitive financial and medical information of its customers and employees, in violation of federal laws."
Among the stipulations of the settlement: CVS must undergo an independent audit every two years for the next 20 years to ensure its security program meets the standards of the order. In tandem with the FTC's investigation of CVS, the U.S. Department of Health and Human Services (HHS) pursued its own investigation of the company's pharmacy chain for violations of the Health Insurance Portability and Accountability Act (HIPAA), exacting a $2.25 million fine to resolve the allegations. The final settlement agreement went into effect in June.
The multimillion dollar penalty -- the largest amount for HIPAA violations to date -- carried the headlines. The bigger news for HIPAA-covered entities and their business associates, risk analyst Ian Glazer said, is that the sensitive information contained in medical records is fair game for the FTC.
"What the FTC said is, 'We are going to pursue HIPAA-related situations as a matter of consumer protection," said Glazer, who covers compliance at Midvale, Utah-based Burton Group Inc. "The FTC has a more proven, sharper track record when it comes to these kinds of consumer issues and demonstrated a willingness to go after organizations and seek damages.
"The CVS Caremark case was a shot across the industry bow, saying, 'We're here and we're back and we're kind of pissed off and we're coming after you,' " he said.
Consumer protection acts to bear on HIPAA violations
The double-barreled investigation of CVS followed media reports in 2006 that its pharmacies were dumping trash into open dumpsters that included pill bottles with patient names, addresses and personal physicians' names; medication instruction sheets with personal information; computer order information with consumers' personal information; employment applications with Social Security numbers; payroll information and credit card and insurance card information, some with driver's license numbers.
Given the contents of the CVS trash, the FTC complaints against the chain are hardly surprising: failure to implement reasonable policies and procedures to dispose securely of personal information, inadequate training of employees, failure to assess compliance with its own security policies and practices for handling sensitive information.
Less obvious is the charge that CVS Caremark engaged in "deceptive" trade practices with claims such as, "CVS/Pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information," said the FTC in its charges against CVS. Because CVS allegedly failed to protect this sensitive information, the practices were "unfair" to consumers.
By invoking the Consumer Protection Act to go after CVS's alleged security lapses, the FTC's case unleashes a brigade of new HIPAA enforcers, according to Donna A. Boswell and Sara A. Kraner, attorneys at Washington, D.C.-based Hogan & Hartson LLP, in a July 20 article, "HIPAA and hospitals' privacy enforcement options."
Among the changes to HIPAA under the American Recovery and Reinvestment Act is the authorization of state attorneys general to enforce and seek damages for HIPAA violations.
"To the extent that state attorneys general had any doubt about how this enforcement authority might work under their existing authority, the FTC's consent order in the CVS Caremark case pretty clearly signals how they might proceed," wrote Kraner and Boswell.
Review HIPAA "Notice of Privacy Practices"
CVS, of course, is not alone in making such claims. Many organizations, including hospitals, choose to augment the legalistic and potentially off-putting mandatory privacy content and disclaimers in the Notice of Privacy Practices required under HIPAA with more consumer-friendly language.
The CVS Caremark case was a shot across the industry bow saying, 'We're here and we're back and we're kind of pissed off and we're coming after you.
Ian Glazer, risk analyst, Burton Group Inc.
Thus, in addition to the many other lessons of the case against CVS, the FTC's course of action should also prompt hospitals and other covered entities to pay particular attention to any marketing verbiage ("elective content") added to the privacy notice that could expose their organizations under the Consumer Protection Act.
Gartner's Proctor said asking corporate counsel to review marketing language for legal exposure might be just the vehicle for shaping up security and HIPAA compliance programs. "I'm liking this," he said. "If you are forced to ask general counsel if 'We have a great security and privacy program' is dangerous language, general counsel in turn might just ask what kind of security and privacy program is in place."
Candy Alexander, chief information security officer at Long Term Care Partners LLC, an insurance and medical benefits administrator for federal employees, said the FTC case against CVS underscores a truism many organizations overlook: that security is not a security "is not a technology solution."
"You can't take care of security by just having antivirus and audit controls," she said. "You have to make sure that people really understand the security processes and that the right processes are in place. It's the proverbial three-logged stool of people, processes and technology.
"And shame on us for having these regulations at all," Alexander said. "Security is a condition of doing business."
Let us know what you think about the story; email Linda Tucci, Senior News Writer.