HIPAA Investigation into Walgreens “Reasonable Safeguards” Closed

An investigation into a HIPAA complaint against Walgreens for alleged “lack of reasonable safeguards” was recently closed by the Office of Civil Rights (OCR) without the assessment of penalties against Walgreens according to a story on HealthItSecurity.com.

According to the letter issued by OCR, the HIPAA complaint was submitted by the group Change to Win and alleged that Walgreens had not implemented appropriate physical safeguards to its Well Experience model.  Some of the specific alleged complaints included:

–        A pharmacist leaving his/her desk leaving PHI unattended

–        The configuration of the pharmacy desk allowed customers to observe the PHI

–        No secure mode of disposal for PHI at the pharmacist’s desk

–        PHI on computer screen was visible to customers

–        Computers and mobile devices were unsecured

After reviewing documentation submitted and conducting onsite visits, the OCR found that Walgreens had implemented safeguards in it store with some evidence of staff error, but no evidence of “widespread and systematic” noncompliance.

OCR did note two areas of concern:  (1) the proximity of the consultation rooms and the seating area for patients waiting for prescriptions or appointments;  and (2) the use of full patient names on display screens that listed names of patients waiting for prescription pickups or clinic appointments.

OCR provided technical assistance on these two issues and recommended that the waiting area be moved or, if not feasible to move, that “sound-masking” technology be used.  The OCR also discussed the minimum necessary rule and indicated that first name and last initial on the display screen was more in line with the HIPAA Privacy Rule than was the use of the full name.  OCR also recommended that staff be retrained on this issue and that Walgreen’s annual HIPAA training be enhanced.

The OCR letter in this matter provides HIPAA Covered Entities with useful guidance related to OCR’s interpretation of the “reasonable safeguards” requirements in the HIPAA Privacy Rule which are found at 45 CFR §164.530(c).  It is also a good reminder that consumers are becoming better educated regarding the HIPAA Privacy Rule requirements and are seeking to have the HIPAA rules enforced by OCR where they do not believe that privacy protections are being adequately observed.

For more information on the “reasonable safeguards” requirements of the HIPAA Privacy Rule, a list of FAQs on reasonable safeguards can be found on the OCR’s website.

If you have questions related to HIPAA compliance or need to defend a HIPAA complaint, please contact one of our HIPAA attorneys.

Speak Your Mind