Proactive Data Security Compliance Can Help Your Business Avoid Severe Penalties Later
Rite Aid Corporation is the latest company to learn a hard lesson on data security policies and procedures. Rite Aid and its 40 affiliated entities have agreed to a settlement of $1 million relative to the potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rules. The national pharmacy chain signed a consent order with the Federal Trade Commission (“FTC”) and the Department of Health and Human Services (“HHS”) for allegedly failing to protect customers’ sensitive information. Several Rite Aid stores were caught on tape disposing of prescriptions and labeled pill bottles containing individuals’ Personal Information (“PI”) in industrial trash containers, easily accessible to the public.
The FTC settlement against Rite Aid requires the company to:
- Establish a Written Information Security Program (“WISP”) to address the confidentiality and security of PI that Rite Aid collects; and
- Obtain an audit from a qualified third-party professional to ensure Rite Aid’s WISP meets the settlement standards, every two years for the next 20 years.
The HHS settlement against Rite Aid requires the company to:
- Establish procedures for disposing of protected health information and PI with appropriate sanctions for those employees not in compliance;
- Conduct internal reviews and monitoring;
- Develop a training program for disposing of PI; and
- Obtain an audit to ensure compliance for the next three years.
What about your company's Personal Information?
Nearly every company, healthcare related or not, has PI and therefore has substantial exposure if it fails to be proactive and appropriately responsive. Disposing of an individual’s health information and/or PI in a trash container accessible to the public is not compliant with several requirements of the HIPAA Privacy Rules. In addition, such wrongful disposal of PI is also in violation of numerous state data security statutes. Nearly 30 states have specific data security statutes that discuss the standards for storage, transmission, destruction and/or disposal of PI. Each state varies in its requirements for PI treatment as well as the appropriate notification procedures should a security breach occur. Nearly every state has a breach notification statute that an entity must follow with specific detail in the event a breach of PI occurs. PI is typically defined as an individual’s first name or first initial and last name in combination with any one or more of the following:
- Social Security Number;
- Driver’s license or state ID number; or
- Account number, credit or debit card number, in combination with any required security code, access code or password that would permit access.
It is important for organizations to recognize that the resources utilized proactively to comply with health and data security laws can substantially reduce enormous risks associated with the retention, destruction and even data breaches to your company.
If you would like to reduce your potential exposure, discuss the impact of data security laws on your business, learn how to implement a compliant WISP, or how to handle a data breach, please contact:
James J. Giszczak
Dominic A. Paluzzi
McDonald Hopkins counsels organizations regarding all aspects of data security, including handling PI disposal and data breach issues and complying with the federal and numerous state specific data security regulations. Our attorneys can help you properly assess your risks to ensure compliance. After you complete the brief McDonald Hopkins’ Data Security and Protection of Personal Information Review, your company will be provided an assessment of the required areas of compliance which have the greatest need of attention and improvement.
Carl J. Grassi, President
600 Superior Avenue, East, Suite 2100, Cleveland, Ohio 44114
West Palm Beach
IRS CIRCULAR 230 DISCLOSURE:
To ensure compliance with requirements imposed by the
Internal Revenue Service, we inform you that any tax advice
contained in this communication (including any attachments),
was not intended or written to be used, and cannot
be used, by any taxpayer for the purpose of (1) avoiding
any penalties under the Internal Revenue Code or (2) promoting,
marketing or recommending to another party any
transaction matter addressed herein.
© 2010 McDonald Hopkins LLC All Rights Reserved.
This Alert is designed to provide current information for our clients, friends
and their advisors regarding important legal developments. The foregoing discussion
is general information rather than specific legal advice. Because it is
necessary to apply legal principles to specific facts, always consult your legal
advisor before using this discussion as a basis for a specific action.