OCR Closes Walgreens Improper PHI Dumping Case After 9 Years

In 2016, WTHR 13 carried out an investigation into the improper disposal of sensitive data by pharmacies. The investigation was initiated following a theft that took place at the home of an Indiana resident. A drug addict targeted the person knowing that she had pain medication. That information was taken from a pharmacy dumpster.

The review involved reporters examining the dumpsters behind a number of pharmacies in Indiana. The reporters discovered bags of garbage, many of which included sensitive information such as prescription details, names, addresses, and phone numbers. Reporters also found that in some cases, credit card information was also printed on documents discarded with regular trash.

The investigation was first carried on Walgreens, although it was later expanded to include a number of other pharmacy chains including CVS and Rite Aid. The investigation was also expanded to 12 other states.

Initially reporters were advised by Walgreen’s representatives that the improper dumping of sensitive data was not company policy and happened in isolated incidents. However, reporters found this was a nationwide issue.

The investigation prompted the Department of Health and Human Services’ Office for Civil Rights to look into the claims in 2007. When Protected Health Information is no longer needed, it must be securely disposed of. All PHI must be in a condition where it is “unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle.”

OCR investigators found that Health Insurance Portability and Accountability Act Rules had been broken by CVS and Rite Aid. In 2009, CVS settled a legal case with the Federal Trade Commission for “failing to take reasonable and appropriate security measures to protect the sensitive financial and medical information of its customers,” and settled the HIPAA breach charges with OCR for $2.25 million. In 2010, Rite Aid settled a legal action with OCR for improper disposal of PHI and agreed to pay a penalty of $1 million.

However, no settlement was agreed with Walgreens, in spite of the evidence collated by WTHR 13 reporters that HIPAA Rules were broken when PHI was disposed of inadequately.

Recently, OCR announced that the case against Walgreens has been closed, almost ten years after the investigation was initiated. No financial penalty was deemed appropriate as Walgreens took instant corrective steps to address the problem. The case was resolved by voluntary compliance on the part of Walgreens.

In a letter sent to WTHR, Rachel Seeger, Senior Advisor for Public Affairs and Outreach at OCR, stated that by November 2006 Walgreens had ensured that all of the dumpsters in use by its employees were locked to prevent improper access. She added “Walgreens provided proof of the voluntary compliance actions it took immediately, and on an ongoing basis.”

Those steps taken included revising and strengthening data disposal policies and “making dumpster or gate locks available through its distribution centers for those Walgreens stores that did not have self-locking dumpsters.” Further training was also given to staff members on correct disposal procedures.

Walgreens corrective measures were deemed to be appropriate and solved all of the problems raised by the WTHR report, and no financial penalty was deemed to be appropriate.