Walgreens’ new pharmacy model may be unintentionally violating customers’ patient privacy rights. Named the “Well Experience,” this new store layout/business model gets pharmacists out in the store, with the intention of increasing the pharmacists’ accessibility to patients and making the customer experience more personal. However, this movement away from the traditional behind-the-counter method of operation may put patients’ privacy at risk, according to a 2013 study by advocacy group Change to Win.
Walgreens new Well Experience pharmacy designs was designed to increase customer-pharmacist engagement, but may be putting customer’s patient privacy at risk.
Is Walgreens Guilty of HIPAA Non-compliance? Change to Win, a labor union-backed group, has filed a complaint with the Office of Civil Rights alleging HIPAA violations. Their study, which looked at 50 Walgreens stores that had implemented the Well Experience model in several states, resulted in allegations, among others, that in 80% of stores visited by study investigators observed desks left unintended by pharmacist. HHS is now looking into the allegations. Areas of concern included sensitive patient information left either on or near the desktop, easily viewable by other customers. The information was found to include patients’ medical histories or test results, along with patient call lists, listing patient names, telephone numbers and currently prescribed drugs. In addition, Change to Win took another look at Walgreens stores and still found alleged potential privacy breaches at 73% of stores it visited, with 46% leaving patients’ prescriptions out where they could be seen or accessed. Other actions that could lead to potential HIPAA violations were the disposal of sensitive information in unattended trash cans and unattended computers displaying sensitive customer information on their monitors.
Change to Win’s publicly stated mission is to unionize workers in service sectors such as retail pharmacy. Eagle speculates that Change To Win’s study and HIPAA complaint is in support of its goal to organize workers at Walgreens.
Other pharmacy chains have settled HIPAA violations with HHS, including both CVS and RiteAid.
So, what does this mean for healthcare organizations? In general, every sized business must be aware of and avoid HIPAA non-compliance. Entities large and small should be aware of a compliance risk and should invest appropriately in compliance. Sloppy compliance practices may be exposed by upset patients, a disgruntled employee, a news organization or, like in this case, a labor union-funded group. Organizations which blatantly disregard HIPAA regulations are at higher risk of stiff enforcement actions. Eagle Consulting has observed that the HIPAA enforcement “machinery” at OCR and the Department of Justice can take years for resolution, so it may be some time before we find out OCR’s opinion about these Walgreens allegations.
