CVS’ HIPPA Headache

Though the vast majority of citizens would prefer their health data to be private — and likely believe it will be due to the stringencies of HIPPA — a new report by ProPublica casts some real questions about just how safe consumer health data is.

The investigation turned up hundreds upon hundreds of violations — all reported to the U.S. Department of Health and Human Services’ Office for Civil Rights between 2011 and 2014. And yet, for all those reports, there were almost no repercussions.

The biggest identified offender was the U.S. Department of Veterans Affairs, which racked up 220 violations and the creation of a corrective action plan. In the number two spot was CVS with 204 violations. And no punishments. Walgreens clocked in at third place (183 violations), with Kaiser Permanente just missing the podium with 146.

“Although the Office for Civil Rights receives thousands of complaints a year,” writes ProPublica, “it issues only a handful of financial penalties.”

Violations at CVS include yelling patient information across the store, contacting consumers at incorrect phone numbers, disclosing private information to answering machines and — the best — faxing sensitive health data to totally unrelated third parties.

Other highlights from the report included stories of hospital staff taking pictures of patients and posting them on social media, and pharmacy staff yelling about a customer’s birth control prescriptions.

CVS, as well as the other firms named, has confirmed it is serious about consumer privacy and vows to do better in the future.



The pressure on banks to modernize their payments capabilities to support initiatives such as ISO 20022 and instant/real time payments has been exacerbated by the emergence of COVID-19 and the compelling need to quickly scale operations due to the rapid growth of contactless payments, and subsequent increase in digitization. Given this new normal, the need for agility and optimization across the payments processing value chain is imperative.