If you are one of the thousands of HIPAA professionals who struggle every day to make their colleagues understand why all the finicky (and let’s face it sometimes downright annoying) HIPAA rules have to be followed to the letter here is yet another cautionary tale you can now use to back your arguments up.

On Tuesday July 27^th, 2010 it was announced that drugstore giant Rite Aid had agreed to a $1 million settlement to atone for their HIPAA transgressions. The settlements apply to all of Rite Aid’s nearly 4,800 retail pharmacies and follow an extensive joint investigation by the HHS Office for Civil Rights (OCR) and the FTC.

The problems began for Rite Aid and its 40 affiliated entities – collectively known as RAC – when the television news media began producing video footage of various RAC employees in several cities across the country disposing of prescription bottles containing individuals’ identifiable information in industrial dumpsters that were accessible by the public – a huge HIPAA violation that one would have assumed a giant corporation would have known better than to ever risk.

In addition to the fines Rite Aid has had to forge agreements with both the OCR (Office for Civil Rights) and the FTC (Federal Trade Commission) who conducted the joint investigation as to the steps they have to take to ensure that such violations never occur again.

You can read the full press statement announcing the settlement here

Connecticut State Attorney General Richard Blumenthal made a little bit of history back in January of this year when he became the first AG in the country to bring a HIPAA enforcement action, which he did against insurance giant Health Net. Now he has just made a little more by announcing he has brokered the first state settlement of such an action.

The suit came about as a result of  Health Net’s loss of a hard drive containing over 500,000 individuals’ records including clinical data, social security numbers, addresses, and other financial information. According to Blumenthal, Healthnet then compounded the gaffe (which they chalked up to theft) by failing to inform those affected about what had occurred for over six months after the incident occurred.

Under the terms of the settlement Healthnet will be ordered to pay $250,000 directly to the state of Connecticut representing statutory damages (and to serve as a warning to other health insurance companies as well no doubt) They will also have to put aside a further $500,000 to cover damages should it eventually be found that the missing hard drive was accessed and that members personal information was ever used in an illegal manner. Guessing that there are still a lot of crossed fingers at Healthnet on that issue..

You can view the full settlement details here

In order to protect the public from possible abuse of their personal genetic information, Congress has voted to ban genetic discrimination in the workplace. The new law addresses questions raised by advances in genetic testing that go beyond the scope of HIPAA.

The main thrust of this bill is to deny the opportunity to misuse the information. There are some privacy elements in here, as well. Much of that is covered by HIPAA, which was passed now a long time ago.

Read the whole article here