James Christiano is not happy with CVS’s privacy protections, or lack thereof. Despite the resolution agreement between Health and Human Services (HHS) and CVS over past privacy violations, James reports that protections are still, well, seriously inadequate:
This week I had a prescription filled at my local CVS pharmacy in Livingston, New Jersey. While standing at the pharmacy I noticed that all of the filled prescriptions were stored directly behind the counter in plain view of any customer. Each prescription was inside a small bag to which a customer receipt was attached. The receipts in the front row of the storage bins were readable from the counter. The receipts contain protected health information (PHI) that is subject to the Privacy and Security Rules of HIPAA including:
1) Full name,
2) Address,
3) Telephone number,
4) Day and month of birth,
5) Drug name and dosage, and
6) Prescriber.HHS maintains the authority for civil enforcement of violations of the Privacy and Security Rules promulgated pursuant to HIPAA. So, why is it that CVS allows the public to view its customers’ PHI in violation of HIPAA even while still subject to the corrective action plan for its prior alleged violations? Well, I asked the pharmacist on duty. The pharmacist acknowledged that it was a problem that the PHI could be viewed from the counter. However, CVS was expecting to remodel and “hopefully” the shelf would be placed farther away to render the PHI unreadable.
Read more on Health Reform Watch.
Unbelievable. I hope James has filed a complaint with HHS about this, even though he doesn’t seem to think they’ll actually do much. And if HHS doesn’t do much, maybe Congress should hold a hearing and have HHS there to explain how they are handling certain “repeat offenders.” When they’re done discussing CVS, maybe they can consider WellPoint.