CVS Caremark settles with FTC and HHS over patient-privacy issues

The data-focused CVS Caremark Corp. (Woonsocket, RI) has made an involuntary $2.25 million investment in protecting customer information and has fortified its procedures for handling retail trash. The investment takes the form of a fine from the Department of Health and Human Services, part of a two-pronged settlement in which the company agreed to implement appropriate procedures for handling personal information about customers and employees in response to an FTC complaint, and agreed to pay the fine and implement a corrective action plan for Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule compliance to settle with HHS.

"Through the settlement we are required to maintain our security policies and our employee training around them, and we are subject to inspections,” says Mike DeAngelis, CVS Caremark spokesman. Both matters stem from 2006 press reports alleging that patient information maintained by the pharmacy was being disposed of in unsecured industrial trash containers. According to FTC documents, “CVS Caremark made claims such as ‘CVS/pharmacy wants you to know that nothing is more central to our operations than maintaining the privacy of your health information,’” which FTC alleged was a deceptive claim.

HHS and FTC will also require CVS Caremark to actively monitor its compliance with the agreements. The company must hire a third party to assess CVS Caremark compliance and report to the federal agencies. The HHS corrective action plan will be in place for three years; the FTC requires monitoring for 20 years.

As a combination of one of the largest drugstore chains and one of the largest PBMs, CVS Caremark has big plans for becoming more central to healthcare IT specifically, and overall healthcare generally. In a recent BusinessWeek interview, CVS Caremark CEO Tom Ryan detailed the key role of customer data in the company’s strategy to grow while simultaneously helping to rein in healthcare costs through increased health monitoring and patient compliance, among other activities. Ryan said in the interview that the company’s customer data reveals when a customer has stopped taking medication. For PBM patients, that may prompt a telephone reminder from the store for the customer to get a refill.