CVS Pays $2.25 Million and Toughens Practices to Settle HIPAA Privacy Case

The U.S. Department of Health and Human Services and the Federal Trade Commission today announced that CVS, the nation’s largest retail pharmacy chain, will pay the U.S. government a $2.25 million settlement and take corrective action to ensure it does not violate the privacy of its millions of patients when disposing of patient information such as identifying information on pill bottle labels.  The settlement, which applies to all of CVS’s more than 6,000 retail pharmacies, follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.

In a coordinated action, CVS Caremark Corp., the parent company of the pharmacy chain, also signed a consent order with the FTC to settle potential violations of the FTC Act. OCR, which enforces the Privacy Rule, opened its investigation of CVS pharmacy compliance with the Privacy Rule after media reports alleged that patient information maintained by the pharmacy chain was being disposed of in industrial trash containers outside selected stores that were not secure and could be accessed by the public.

At the same time, the FTC opened an investigation of CVS. OCR and the FTC conducted their investigations jointly. This is the first instance in which OCR has coordinated investigation and resolution of a case with the FTC. “OCR is committed to strong enforcement of the HIPAA Privacy Rule to protect patients’ rights to privacy of their health information. We hope that this agreement will spur other health organizations to examine and improve their privacy protections for patient information during the disposal process,” said Robinsue Frohboese, acting director of OCR. “Such safeguards will benefit consumers everywhere.”

The Privacy Rule requires health plans, health care clearinghouses and most health care providers (covered entities), including most pharmacies, to safeguard the privacy of patient information, including such information during its disposal. Among other issues, the reviews by OCR and the FTC indicated that: * CVS failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process; and * CVS failed to adequately train employees on how to dispose of such information properly. Under the HHS resolution agreement, CVS agreed to pay a $2.25 million resolution amount and implement a robust corrective action plan that requires Privacy Rule compliant policies and procedures for safeguarding patient information during disposal, employee training and employee sanctions for noncompliance.

HHS and FTC also will require CVS to actively monitor its compliance with the resolution agreement and FTC consent order. The monitoring requirement specifies that CVS must engage a qualified independent third party to conduct assessments of CVS compliance and render reports to the federal agencies. The HHS corrective action plan will be in place for three years; the FTC requires monitoring for 20 years.

The HHS Resolution Agreement and Corrective Action Plan can be found on the OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/cvsresagrcap.pdf. OCR has posted new FAQs that address the HIPAA Privacy Rule requirements for disposal of protected health information.

They can be found on the OCR Web site at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/disposalfaqs.pdf.

Information about the FTC Consent Order agreement is available at http://www.ftc.gov .

E-Discovery Requirements Are About to Hit Canadian Firms

As Canadian firms brace for new e-discovery rules, they can look to their U.S. counterparts for technology lessons.

By Anne Rawland Gabriel

Time is growing short for Canadian securities firms to prepare for the scheduled April enforcement of the new Canadian National Instrument 31-103 (NI 31-103), regulation that significantly expands record keeping requirements for electronic communications. Fortunately NI 31-103 substantively mirrors U.S. regulations already in place, which means Canadian firms have the opportunity to learn from others’ experiences.

“NI 31-103 is very similar to SEC and FINRA requirements in the U.S.,” substantiates Carolyn DiCenzo, a Gartner research VP. “It’s important to remember that the spirit of the law is communications and not just one particular type of communication, such as e-mail or instant messaging.”

For more see wallstreetandtech.com.

Obama Administration Could Mean More Compliance Regs

January 5, 2009
By Drew Robb

Just as accounting scandals earlier this decade led to new regulations like Sarbanes-Oxley, last year’s global financial meltdown coupled with Democratic control of the White House and Congress seems like a recipe for a host of new compliance regulations — and thus more business for storage vendors and more work for storage administrators.

But the changes won’t stop with an Obama presidency and the 111th Congress. The leaders of the Group of 20 industrial and emerging countries (G-20) have been meeting to consider global regulations aimed at raising bank capital standards and regulating hedge funds, with European leaders at the forefront of the new financial market regulation.  While it might be years before all this results in any kind of international consensus, another round of regulation is almost certainly at hand.

* * *

SOX and other regulations like FRCP stimulated interest in the archive and nearline disk market and exposed tape media’s shortcomings for meeting search and audit requests.

“Generally, additional regulation mandates that organizations have to demonstrate their ability to reproduce transactional records within a specified timeframe when requested,” said Brian Kelly, an executive at Ernst and Young Global Ltd. “After the failure of some major organizations to respond to such audit requests, an overhaul of the archival process was mandatory.”

For more see enterprisestorageforum.com.

Judge OKs legal settlement for Mo. gov.’s e-mails

By DAVID A. LIEB

The Associated Press

A judge has approved a legal settlement that requires outgoing Gov. Matt Blunt to hand over thousands of e-mails to investigators, but leaves unresolved the question of whether Blunt’s office violated public records laws.

Under the deal, Blunt’s office must provide 60,000 pages of e-mail documents from the accounts of the outgoing Republican governor and five staffers from a three-month period in 2007. The settlement includes no specific assertion of wrongdoing by Blunt nor any specific exoneration.

A bipartisan pair of court-appointed assistant attorneys general said they believe Blunt’s office broke Missouri law by deleting the e-mails that should have been saved as public records.

But former Democratic Lt. Gov. Joe Maxwell and Republican attorney Louis Leonatti both said it would have been almost impossible to prove Blunt’s office committed a knowing and purposeful violation, which are required elements under Missouri law for imposing civil fines.

That’s because they said Blunt and his top deputies were relying on in-house legal advice _ albeit wrong _ when they asserted in 2007 that e-mails were not public records and did not have to be kept.

Leonatti said there was nothing to indicate any criminal conduct occurred, and he praised Blunt’s former legal counsel, Henry Herschel, for eventually correcting his wrong interpretation of public records laws.

Blunt spokeswoman Jessica Robinson said Democratic Attorney General Jay Nixon _ who will succeed Blunt as governor Jan. 12 _ wasted more than $600,000 of taxpayer money by initiating the investigation ‘with nothing to show for it but false accusations.’

The legal settlement seeks to end an e-mail controversy that has dogged Blunt for the final year-and-a-half of his term. The settlement gives investigators until Jan. 26 to complete a report on their findings, and then gives Blunt until Jan. 30 to attach a response before the report is publicly released.

Reviewing Your Email and Internet Usage Policies

Written by Sue Walsh on January 2, 2009

As the year comes to a close it’s good time to review your Email and Internet usage policies and insure that they are clear and comprehensive. The folks over at SmartBiz have published some helpful tips to assist you. Here’s an excerpt:

As the Internet and email have become a big part of our everyday lives, employers need to make clear the separation between work and non-work. What someone would consider appropriate with friends may be out of line in the workplace. Each practice needs to have a clear, written policy in place to eliminate confusion by the employees on what is and is not acceptable.

Such policies are critical in this day and age. It only takes one email or dubious website to cause your business a lot of trouble in the form of viruses, security or confidentiality breaches, even lawsuits. So keep your policy updated and easily available to all your employees!

10 tips to preserve data for the long haul — A better model for preserving data is needed and it requires worldwide collaboration, according to a task force on digital preservation and access

The growth of digital data is threatening to spiral out of control. More than 452 exabytes of information have been created and replicated this year — an amount higher than the world’s available storage capacity , according to IDC.

Not all data should be preserved, but efforts to save important information are being stymied by many factors: complacency, fear that the problem of long-term digital access and preservation is too big to take on, inadequate funding, confusion, and lack of alignment among stakeholders, a new report says. A better model for preserving data is needed, and it requires worldwide collaboration, says the Blue Ribbon Task Force on Sustainable Digital Preservation and Access, which consists of experts from universities, major libraries, and one tech company ( Microsoft ).

“The long-term accessibility and use of valuable digital materials requires digital preservation activities that are economically sustainable — in other words, provisioned with sufficient funding and other resources on an ongoing basis to achieve their long-term goals,” task force co-chairman Brian Lavoie of the Online Computer Library Center said in a press release.

Although the task force says an industrywide solution is needed, there obviously are many steps individual IT shops can take to implement a better data preservation plan. The task force’s second co-chair, Fran Berman, director of the San Diego Supercomputer Center (SDSC) at the University of California, offered a list of 10 tips for preserving data in a recent article.

For a look at Berman’s advice, see infoworld.com.

Continue reading →

Local Government Botches E-Discovery and Legal Hold — County Underestimates Value of Its Own E-mail Records

Some public agencies don’t realize that in ligation their own good records can be their best defense.

Commonly a defendant in a lawsuit is reluctant to search through its e-mails – and incredulous that a court would force it to dig deep for them. In Toussie v. County of Suffolk, 2007 WL 4565160 (E.D.N.Y. Dec. 21, 2007), a New York county made the process of e-discovery excessively difficult and expensive for itself.

Plaintiffs sued the county for allegedly barring them from participation in a real estate auction to which they were entitled. After the lawsuit started, the county did a poor job of preserving its e-mail records. Then, when the plaintiffs demanded – in the “discovery” phase of the lawsuit — that the county search for and disclose relevant e-mail, the county faltered. It initially turned over only two e-mail records.

For more see legal-beagle.com

25 Percent of Reported E-Discovery Opinions in 2008 Involved Sanctions Issues

Sheri Qualters
The National Law Journal
December 17, 2008

One-quarter of the reported electronic discovery opinions issued in the first 10 months of the year involved sanctions issues, according to a new Kroll Ontrack Inc. study.

The Kroll Ontrack software division of risk consultant Kroll Inc. analyzed 138 reported cases from January through October 2008 for the study. Also, according to the analysis, 13 percent of cases addressed preservation and spoliation issues; 12 percent involved computer forensics protocols and experts; 11 percent addressed admissibility; and 7 percent of cases involved privilege considerations and waivers.

The cases illustrate that judges frequently issue sanctions for mishandling of electronic discovery and lack of document retention policies, said Michele Lange, Kroll Ontrack’s director of legal technologies, in a statement. “It is clear that courts are no longer allowing parties to plead ignorance when it comes to [electronic discovery] best practices.”

Kroll Ontrack’s study detailed several decisions, including a federal court decision in the Northern District of California that required defendants to pay more than $250,000 in fees and costs for discovery conduct “among the most egregious this court has seen,” according to an Aug. 12 opinion by U.S. Magistrate Judge Elizabeth D. Laporte. Keithley v. The Home Store.Com Inc., No. 3:03-cv-04447 (N.D. Calif.).

Lack of policy adds to e-discovery cost and complexity — Large percentage of companies lack legal holds

IT and legal teams must work together to establish e-discovery policies. In fact, one-third of companies lack formal policies and procedures for legal holds, according to a recent poll of attorneys and executives conducted by Deloitte. A legal hold is the process by which companies preserve evidence subject to discovery for lawsuits and other legal and regulatory matters. In this increasingly litigious society, it’s likely IT will have to hand over e-mails and backup files.

“Given the relatively low cost of establishing a policy framework and processes to address legal hold issues, it is surprising to see such a large percentage of corporate America lacking in this area,” says Jeff Seymour, a principal with Deloitte Financial Advisory Services analytic and forensic technology practice.

Respondents indicated responding to discovery requests has become significantly more complicated and costly. And less than one-third indicated their companies are very or extremely effective in managing the readiness aspect of the discovery process. Worse, 5% said the guidance provided to IT on litigation hold polices was unclear and 35% said it was only somewhat clear.

For more see NetworkWorld.com.

Comply Or Die: Data Disposition Must Be A Priority

IT groups rethinking the “save everything forever” approach find deletion and retention policies and tools must be razor sharp to cut through a morass of regulations.

 

By Andrew Conry-Murray

While the oil and gas refined by CVR Energy will someday run out, the company generates a seemingly inexhaustible supply of data: 3 to 5 TB of information in 2008 alone, says CIO and senior VP Mike Brooks. He expects that load to double every year for the foreseeable future. 

Though disk may still be cheap, Brooks says, it just doesn’t make financial sense for CVR to store every bit of electronic information indefinitely. Besides raising hardware, software, and utilities costs, outsized data stores make backups and enterprise search less efficient, and legal e-discovery more burdensome. When you’re paying lawyers hundreds of dollars an hour to review e-mail and documents, a smaller pile means a smaller bill.

 

That’s why CVR, a $3 billion-a-year refinery based in Sugar Land, Texas, is undertaking a massive data disposition project, hammering out policies that will govern how long the company stores its information and when it can be disposed. Between deletions based on the new rules and other technology approaches, such as deduplication, Brooks hopes to cut CVR Energy’s disk use in half.

 

He isn’t alone. More organizations are evaluating–if not yet implementing–data disposition strategies. By 2013, half of all Global 2000 companies will have formal records management systems to shepherd data through its life cycle, Gartner estimates.

 

But this is one area CIOs must approach with caution. There are significant technological, regulatory, and organizational hurdles to clear before organizations can eliminate data with confidence. At the top of the list are compliance and legal. Every industry has government-mandated retention requirements. On the legal side, general counsel and human resources may worry that critical pieces of information that could support their positions–in case of employment discrimination or harassment claims, for example–may be destroyed. 

Technological and organizational challenges are just as daunting. Before you can dispose of information, you must identify it and know every place it resides–not a simple task. And users aren’t quick to give up the mail and documents they produce. As with NRA members, you may have to pry PST files and PowerPoint decks from their cold, dead hands.

For more see InformationWeek.com.