OCR Closes Walgreens Improper PHI Dumping Case After 9 Years

by | Aug 16, 2016

In 2016, WTHR 13 carried out an investigation into the improper disposal of sensitive data by pharmacies. The investigation was initiated following a theft that took place at the home of an Indiana resident. A drug addict targeted the person knowing that she had pain medication. That information was taken from a pharmacy dumpster.

The review involved reporters examining the dumpsters behind a number of pharmacies in Indiana. The reporters discovered bags of garbage, many of which included sensitive information such as prescription details, names, addresses, and phone numbers. Reporters also found that in some cases, credit card information was also printed on documents discarded with regular trash.

The investigation was first carried on Walgreens, although it was later expanded to include a number of other pharmacy chains including CVS and Rite Aid. The investigation was also expanded to 12 other states.

Initially reporters were advised by Walgreen’s representatives that the improper dumping of sensitive data was not company policy and happened in isolated incidents. However, reporters found this was a nationwide issue.

The investigation prompted the Department of Health and Human Services’ Office for Civil Rights to look into the claims in 2007. When Protected Health Information is no longer needed, it must be securely disposed of. All PHI must be in a condition where it is “unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle.”

OCR investigators found that Health Insurance Portability and Accountability Act Rules had been broken by CVS and Rite Aid. In 2009, CVS settled a legal case with the Federal Trade Commission for “failing to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers,” and settled the HIPAA breach charges with OCR for $2.25 million. In 2010, Rite Aid settled a legal action with OCR for improper disposal of PHI and agreed to pay a penalty of $1 million.

However, no settlement was agreed with Walgreens, in spite of the evidence collated by WTHR 13 reporters that HIPAA Rules were broken when PHI was disposed of inadequately.

Recently, OCR announced that the case against Walgreens has been closed, almost ten years after the investigation was initiated. No financial penalty was deemed appropriate as Walgreens took instant corrective steps to address the problem. The case was resolved by voluntary compliance on the part of Walgreens.

In a letter sent to WTHR, Rachel Seeger, Senior Advisor for Public Affairs and Outreach at OCR, stated that by November 2006 Walgreens had ensured that all of the dumpsters in use by its employees were locked to prevent improper access. She added “Walgreens provided proof of the voluntary compliance actions it took immediately, and on an ongoing basis.”

Those steps taken included revising and strengthening data disposal policies and “making dumpster or gate locks available through its distribution centers for those Walgreens stores that did not have self-locking dumpsters.” Further training was also given to staff members on correct disposal procedures.

Walgreens corrective measures were deemed to be appropriate and solved all of the problems raised by the WTHR report, and no financial penalty was deemed to be appropriate.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy