Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Improper Disposal Costs Rite Aid $1 Million

Posted in Data Breach

Written by Dianne Bourque

Rite Aid has agreed to pay $1 million to settle allegations that it violated HIPAA by disposing of labeled pill bottles in unsecured dumpsters accessible to the public. The $1 million fine settles a joint Office of Civil Rights (OCR)/Federal Trade Commission (FTC) investigation prompted by televised media reports of pharmacies disposing of pill bottles containing patient information. Rite Aid and several other retail pharmacies in cities throughout the United Sates were highlighted in the report.

The improper disposal of patient labels violates the HIPAA Privacy Rule (not the security rule, because the labels are paper) and exposes patients to the risk of identity theft and other crimes.

In addition to paying the $1 million resolution amount to OCR, Rite Aid has agreed to implement “a strong corrective action program” including:

· Revising its policies and procedures related to the disposal of PHI and sanctioning workers who do not follow them

· Training workforce members on new policies and procedures

· Conducting internal monitoring

· Engaging a qualified, independent third party assessor to review its compliance efforts and report to HHS

A link to the resolution agreement is available here:



Dianne Bourque

Dianne is an associate in the firm’s Health Law Section. She advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, and risk management matters, and patient care.