The Wakefern Food Corp., and two of its ShopRite supermarkets, have reached an Attorney General HIPAA settlement with the state of New Jersey and the New Jersey Division of Consumer Affairs. But what led to the Attorney General HIPAA settlement? More details are discussed below.
Attorney General HIPAA Settlement for HIPAA Violations
In 2016, Wakefern replaced devices in the pharmacies of two ShopRite supermarkets storing the electronic protected health information (ePHI) of 9,700 New Jersey residents. The old devices were disposed of in dumpsters, without first being wiped of the ePHI. The ePHI stored on the improperly disposed of devices included names, phone numbers, birthdates, driver’s license numbers, prescription numbers, medication names, dates and times of pick-up or delivery, and customer zip codes.
Attorney General Grewal commented, “Pharmacies have a legal obligation to protect the privacy and security of the patient information they collect, and to properly dispose of that information when the time comes. Those who compromise consumers’ private health information face serious consequences.”
To settle HIPAA violations, Wakefern and the two ShopRite supermarkets in question (Union Lake and SRS), agreed to an Attorney General HIPAA settlement. The settlement includes a $235,000 fine as well as implementing security measures to prevent a similar event from occurring in the future.
The settlement provisions include:
- appointing a chief privacy officer;
- executing a Business Associate Agreement with SRS, Union Lake and each of its members that operate pharmacies within 30 days of the settlement, to ensure that these entities will appropriately safeguard protected health information;
- ensuring that all the ShopRite stores with pharmacies in the Wakefern cooperative designate a HIPAA privacy officer and HIPAA security officer; and
- providing online training for those officers on HIPAA security and privacy rules.
In addition to the above-mentioned provisions, Union Lake and SRS have agreed to provide the Division with written confirmation of their appointment of HIPAA security and privacy officers within 30 days of the settlement. They have also agreed to provide the appointed officers with online training offered by Wakefern within 120 days of their appointment.
Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs stated, “New Jersey consumers have a right to know that when they purchase a prescription medication at the neighborhood supermarket, their most private information will be fully protected under the law and not carelessly left to fall into the wrong hands. This settlement ensures that ShopRite supermarket pharmacies will be trained and monitored for HIPAA compliance to avoid future conduct that place consumers at risk for privacy invasion and identity theft.”
How to Properly Dispose of ePHI and Avoid HIPAA Violations
The Department of Health and Human Services provides guidance on how to properly dispose of PHI stored on electronic media. On their website they state, “Appropriate methods for removing ePHI from electronic media prior to reuse or disposal may be by clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media. If circumstances warrant the destruction of the electronic media prior to disposal, destruction methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media.”
Healthcare organizations can hire a third-party contractor (business associate) to dispose of ePHI. However, they must have a signed business associate agreement with the contractor before allowing them to dispose of the media.
For more information on proper ePHI disposal, please click here.