This seems to be my morning for giving thumbs up. This one is to WTHR, whose investigative series on pharmacies dumping unshredded prescription documents and customer data led the government to take action. Their reports had been covered on PogoWasRight.org starting in July 2006 and demonstrate what good local news coverage can accomplish.
One aspect of the CVS settlement that has not received discussion in media coverage is the gap in notification and disclosure laws. Some states do not require notification of breaches for paper records. And some states specifically exempt HIPAA-covered entities from notification laws on the premise that HIPAA would cover the situation. But HIPAA never did cover the situation because there was never any duty to disclose a breach under HIPAA — only to “mitigate harm.” So when local pharmacies improperly dispose of paper records in the trash, there is generally no legal duty to notify individuals whose data have been exposed or disclosed — or even acquired by others.
The CVS case should remind us all that it’s not just electronic health records that we need enhanced security and privacy protections for — we need to deal with paper records, too.