Skip to main content

Improper Disposal Costs Rite Aid $1 Million

Written by Dianne Bourque

Rite Aid has agreed to pay $1 million to settle allegations that it violated HIPAA by disposing of labeled pill bottles in unsecured dumpsters accessible to the public. The $1 million fine settles a joint Office of Civil Rights (OCR)/Federal Trade Commission (FTC) investigation prompted by televised media reports of pharmacies disposing of pill bottles containing patient information. Rite Aid and several other retail pharmacies in cities throughout the United Sates were highlighted in the report.

The improper disposal of patient labels violates the HIPAA Privacy Rule (not the security rule, because the labels are paper) and exposes patients to the risk of identity theft and other crimes.

In addition to paying the $1 million resolution amount to OCR, Rite Aid has agreed to implement “a strong corrective action program” including:

· Revising its policies and procedures related to the disposal of PHI and sanctioning workers who do not follow them

· Training workforce members on new policies and procedures

· Conducting internal monitoring

· Engaging a qualified, independent third party assessor to review its compliance efforts and report to HHS



Dianne Bourque

Dianne is an associate in the firm’s Health Law Section. She advises a variety of health care clients on a broad range of issues, including licensure, regulatory, contractual, and risk management matters, and patient care.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.