RiteAid recently settled to pay a $1 million dollar fine after being found in violation of HIPAA. Employees improperly disposed of customer prescriptions, failing to protect their sensitive information. RiteAid could not show that it had sufficiently trained its employees to properly dispose customer prescriptions.
At the time of the conduct, leading to the fine, Rite Aid had policies and procedures which clearly outline the process of managing and disposing of sensitive customer information. In an organization with thousands of locations and tens of thousands of employees, communicating, delivering, and ensuring compliance on the appropriate policies and procedures can be a major challenge.
If Rite Aid had a tool like TotalCompliance® from ComplianceBridge, they could have regularly published their policies and procedures to all of their employees- or just the relevant departments- and easily tracked end user compliance on those policies and procedures, such as who has read and legally signed off on those documents. They could have added a short quiz to further ensure employees understood and comprehended what they have read. Legal language in the employee’s acknowledgement could have protected Rite Aid against this expensive litigation. If Rite Aid had been able to show it had not only delivered the relevant policies to their employees, but also enforced that their employees understood the material, and then had them sign off with their authenticated electronic signature saying they agree to be bound by the terms of the policy or procedure- there would have been no grounds for Rite Aid to sign a consent order with the Federal Trade Commission (FTC) to settle potential violations of the FTC Act,
Rite Aid could have purchased TotalCompliance for over 50 years, just for the price of the settlement. In addition to delivering and ensuring acknowledgement of the material, Rite Aid could have easily tracked their organizations compliance, all the way down to the individual store or department.
In Rite Aid’s defense, they are taking the penalties very seriously and have vowed to change.
Rite Aid spokeswoman Cheryl Slavinsky said “we take this very seriously. We are not aware of any name to customers of parents from the investigated incidents, and we certainly hope that it does not happen again.”
Rite Aid has strengthened HIPAA program training with better tracking and monitoring to make sure employees read policies and perform the computer-based training modules.
As you may know, Rite Aid is not the first to pay expensive fines due to negligent communication and tracking practices. A few years ago, CVS was forced to pay a 2.25 million dollar penalty for similarly failing to develop and communicate critical policies and procedures. Hopefully organizations can take these unfortunate incidents and learn from them.