Patient privacy in any medical facility is not only a right, but a law which was passed by the United States congress in 1996. The law provides the ability to transfer and continue health insurance coverage for Americans when the change or lose their jobs, reduces healthcare fraud and abuse, mandates industry wide standards for health care information on electronic billing, and requires confidential handling of protected health information. The confidentiality is the portion which medical staff and their business associates develop and follow procedures that ensure the confidentiality and security of PHI, protected health information.
California Department of Health Care Services, 2012) Many medical facilities and pharmacies throughout our country fail to comply with these HIPAA regulations and through neglect or fraudulent activity compromise a patient’s personal health information. Channel 13 in Indiana did an investigation on pharmacies throughout our nation which discarded prescription labels, pill bottles, and patient information sheets with patient’s personal information into their unsecured dumpsters around Boston, Chicago, Cleveland, Dallas, Denver, Detroit, Miami, Louisville, Philadelphia, and Phoenix.
When prescriptions are dropped off, electronically transferred, or called into a pharmacy, patients assume their personal information is guarded and protected. The information given to the pharmacy consists of the patient’s address, telephone number, date of birth, prescribing doctor, social security numbers, and the type of medication on record. This is a violation of federal law. “Putting protected health information in a dumpster that is accessible to anyone is clearly not an example of a reasonable safeguard,” said Susan McAndrew, senior advisor with the U. S. Department of Health and Human Services’ Office of Civil Rights. (Segall, 2012)
Of course there were steps implemented by management to remedy the problem. The manager of Walgreens now requires all dumpster to be locked at all times. Another Walgreen’s manager suggested placing all general trash in a quarantine area to be checked for patient information, sealed, signed and dated by the inspector, and then taken to the dumpster. A CVS manager proposed having a designated area in the store to store pharmacy trash bags until they are delivered to a regional warehouse for proper disposal. (Segall,2012) Some stores may have high turnover rates or poor training, which causes a breakdown in policy and procedure methods.
Removing any identifiable information from the prescription bottles before discarding them would have made a difference. Shredding any identifiable information before placing it in the dumpster would have also been sufficient. The managers of these pharmacies have to review the policy and procedures on customer’s privacy rights and how to properly discard their personal information. Each state has a pharmacy board that has rules regarding how to protect patient information; the manager will need to refer to those rules and give additional training to the employees.
It is proper to have a representative from an outside company for training on HIPAA and privacy regulations. The author and interviewer spoke with a homeless man who stating he views the content of the dumpster as a means of income. The homeless man sells items he finds in the dumpster to make money. Identity theft is an increasing problem in our society. Identity theft is a crime. Patient’s personal information can easily be sold to a criminal, who can apply for credit and make purchases using the patient’s stolen information. The Golden Rule is to treat people how you would want to be treated.
The public should never have to think twice that a professional company would be such lack of concern about their personal information. Elderly people are more likely to have multiple prescriptions and on a consistent basis and the pharmacy discarding their personal information can lead to identity theft. Elderly people are less likely to check or investigate any type of inconsistencies or new entries on their credit report. If the person is applying for any type of credit after theft has happened, this can cause a denial from banks. Insured customers may xperience fraudulent use of the prescription or medical insurance information.
This could cause denial of coverage at any point. This could have a huge impact on their lives and it is up to the professionals in these pharmacies to prevent this from happening. The article also told the story of a burglary after a thief found an address from the dumpster of one of their customers. This could be devastating and even fatal if these addresses are obtainable by criminals. Ethically, these pharmacies were incompetent in the way they decided to destroy these records.
There is no excuse for this based on the fact they are looked upon as a professional organization and incompetency should not be an excuse. You have a duty as a physician to respect the patient’s trust and keep this information private. Protecting a customer’s confidentiality is about respect. It is the professionals’ duty to respect the customer’s information by restricting access of others to this information. Creating a trusting environment is extremely important. Maintaining confidentiality and respect for the privacy of others is ethically correct and expected in this type of organization.
Discarding this personal information is not only ethically wrong, but legally wrong. This is referred to as a breach and fines are applicable in this case. In 2005, the U. S. Department of Justice clarified who could be held criminally liable for violating HIPAA regulations. This violation of placing patient information in the dumpster would fall under the “HIPAA violation due to willful neglect but violation is corrected within the required time period”. This fine can range from $10,000 to $250,000 annually for repeated violations. American Medical Association, 2012) Violating HIPAA regulations is a federal law and offenses are considered a felony.
The fines imposed can be devastating, but there are cases that jail time is required. CVS’s breach in HIPAA regulations were taken up by The Federal Trade Commission and were fined $2. 25 million dollars. According to the complaint, CVS Caremark did not implement reasonable policies and procedures to dispose securely of personal information and did not adequately train employees. (Federal Trade Commission, 2009) It is an organizations responsibility to keep all their employees trained on HIPAA compliance.