7 Pharmacy HIPAA Violations That Might Surprise You

5 HIPAA Violations You Might Not Know About by Elements magazine | pbahealth.com

Inside: Learn seven little-known patient privacy pitfalls to protect your pharmacy from costly fines for HIPAA violations. 

Despite your best efforts at compliance, your pharmacy could be violating the Health Insurance Portability & Accountability Act (HIPAA). And you might not even know it.

That ignorance could prove costly—director of the Health and Human Services Office for Civil Rights Roger Severino has promised harsher audits in 2019 to better protect patient privacy.

Whether you’ve partnered with a company that specializes in compliance support or spent hours crafting your own policies, there’s still a risk you might be violating HIPAA in a way you didn’t even know was possible. Fines per violation run from $100 to $50,000.

Check out these 7 examples of surprising HIPAA violations.

1. Pharmacies can be held liable for employee violations (even with airtight privacy policies)

In 2013, a Walgreens pharmacist in Indiana reviewed the prescriptions health records of a woman who had once dated her husband. Courts determined that because of this HIPAA violation, Walgreens should pay a $1.4 million fine, even though they had strict privacy policies in place and the employee admitted she knowingly violated the company’s rules.

After a lengthy legal battle, the Indiana Court of Appeals let the initial ruling stand, sending a stark message to pharmacies across the United States: If your employees violate HIPAA, you can be held liable.

At the time of the appeal the plaintiff’s lawyer Neal Eggeson told The Indiana Lawyer, “Walgreen has now created a precedent—one which may be used and relied upon by courts throughout the nation—confirming that privacy breach victims may hold employers accountable for the HIPAA violations of their employees.”

2. Trash can get you into trouble

When a reporter went through the trash of a CVS Pharmacy in 2009, they found that employees were disposing of old prescription bottles with labels that had health information still intact. Because of the patient and pharmacy order information found in unsecured dumpsters, the company was fined $2.25 million for violating HIPAA regulations. They also had to implement a detailed Corrective Action Plan to ensure that this type of information was properly dealt with in the future.

In 2010, Rite Aid Corporation ran into a similar problem—pharmacies in multiple cities were found to be disposing of pill bottles with patient information on the labels in industrial trash containers that were accessible to the public. In this case, the chain faced a $1 million settlement.

3. Your digital data is compromised

With more and more health data being digitized, pharmacists now have to worry about HIPAA violations from another angle: cybersecurity. The Protenus Healthcare Breach Barometer reported that in January 2018, 83 percent of all breached healthcare records were caused by hackers or other IT-related issues.

New York-Presbyterian Hospital and Columbia University found themselves facing a $4.8 million fine after the hospital’s firewall was deactivated and health records from 6,800 patients found their way to the open internet. After malware compromised protected UMass Amherst data, it had to pay $650,000 in fines.

Because lax cybersecurity can mean such hefty fines, it’s crucial that your pharmacy’s technology is up to date and protected. Cyber liability insurance can provide additional protection.

4. Pharmacy design creates privacy problems

The layout of your pharmacy could also get you in trouble with HIPAA. A study conducted by Change to Win Retail Initiatives found that to be the case with certain Walgreens’ locations.

When they implemented their “Well Experience” program, they moved the pharmacist’s desk to the front counter to make them more accessible. However, 80 percent of locations that adopted this model left patient information like medical histories easily visible to customers. And in almost half the stores, prescriptions were left unattended within reach of customers.

5. Mishandled information results in fines

Even if you’ve done everything to prevent cybersecurity threats, the technology in your office may still leave you vulnerable. When Affinity Health Plan returned a leased copy machine, they did so without erasing the hard drive. This meant that data from over 300,000 individuals had been turned over without any protection. The blunder resulted in a $1.2 million fine from federal regulators.

An orthopedic clinic in North Carolina ran into a similar problem when they decided to convert their X-rays into electronic media. When they handed over the X-rays to a third party vendor, they also gave away patient information for over 17,000 people. As a result, the clinic was hit with a $750,000 fine and will have to revise its policy procedures.

6. Loose lips will sink ships

Despite years of training on how to protect private health information, one careless comment led a veteran healthcare worker to lose her job. When a female student and her boyfriend came into the health center to discuss her pregnancy, the lab worker made a comment that she hoped the couple was happy with the pregnancy test result—within earshot of other health center workers.

The lab worker also gossiped about the test result with an office clerk, who then went on to discuss the case with two more medical assistants. After an investigation by the school, the lab worker was fired and the office clerk was disciplined.

7. Prying eyes lead to big consequences

A few days after the reality television star Kim Kardashian gave birth at Cedars-Sinai Medical Center in 2013, six employees were fired for inappropriately accessing patient medical records.

Though the physicians who accessed the medical records possessed log-in information for the hospital’s electronic record system, they were only supposed to use it to care for their own patients.

In this case, the hospital didn’t face a fine, but HIPAA violations of this kind can cost up to $50,000 per violation. In 2008, the UCLA Health System was fined $865,500 after employees access medical records for celebrities like Farrah Fawcett, Britney Spears, and Maria Shriver. The organization also had to develop an action plan for improving its security measures.

A Member-Owned Company Serving Independent Pharmacies

PBA Health is dedicated to helping independent pharmacies reach their full potential on the buy-side of their business. Founded and run by pharmacists, PBA Health serves independent pharmacies with group purchasing services, wholesaler contract negotiations, proprietary purchasing tools, and more.

An HDA member, PBA Health operates its own NABP-accredited warehouse with more than 6,000 SKUs, including brands, generics, narcotics CII-CV, cold-storage products, and over-the-counter (OTC) products — offering the lowest prices in the secondary market.

Editor’s Picks


Elements is written and produced by PBA Health, a buy-side solutions company.

Sign up for a FREE subscription to Elements magazine!


Sign up to receive PBA Health’s e-newsletter to get the latest Elements web articles in your inbox every other week, along with industry news, supply chain insights, and exclusive offers.

Related Articles

Popular Articles