?r'f DEPARTMENTOFHEALTHQ HUMAN SERVICES OFFICE SECRETARY Voice - t215l 861-4441. {215) 861-4440 Of?ce Ci?l Rights, Region 150 S. Independence Mall West Public Ledger Sum-:- 37: Philadelphia. PA 19106-3499 March 21,2011 Ms. Anita Nijer Chief Privacy Of?cer CVS Caremark PO. Box 52072 Phoenix, AZ 85072-2072 Our Transaction number: 1 1-122108 Dear {blisliblillicl and Ms. Nijer: The US. Department of Health and Human Services Of?ce for Civil Rights (OCR). received a complaint alleging that CVS Caremark (covered entity} is not in compliance with the Federal Standards for Privacy of Individually Identi?able Health Information {45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally. the complainant alleges that she has received unsolicited patient protected health information at her home fax machine. This allegation could re?ect a violation of 45 CPR. uses and disclosUres of protected health information. OCR enforces the Privacy Rule, and enforces federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color. national origin. disability and age. On January 21, 201 l, OCR notified the covered entity ofthe complaint filed against it. investigation revealed that the complainant?s assertions occurred as she alleged. OCR found evidence that the complainant received the protected health information of a patient. Therefore, the covered entity took actions to correct the deficiencies that OCR found. The Privacy Rule at 45 CPR. ?l 64.506 permits use and disclosure of protected health information for treatment, payment or health care operations. The disclosure found in this case would not be permissible under 45 C.F.R. 164.50}, or any other portion of the Privac Rule. OCR found that the covered entity?s contractor did not have the correct fax number for Based uon this complaint, the covered entity?s contractor has obtained the correct fax number, and has updated ?33$?me ontact information. The Privacy Rule under 45 164.5306) provides that a covered entity must mitigate to the extent practicable any harmful effect that is loiown to the covered entity as a result of an impermissible use or disclosure of protected health information. Due to ?ndings. the covered entity sent a letter of apology to the patient. Lastly, the Privacy Rule at 45 164.528 provides that an individual has the right to receive an accounting of disclosures of protected health information made by a covered entity in the six years prior to the date of the request, except for disclosures to carry out treatment, payment or health care operations. The covered entity made an accounting of this disclosure for the patient. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance and corrective actions of the covered entity. Therefore, OCR is closing this complaint. determination as stated in this letter applies only to the allegations in this complaint that OCR reviewed. Please note, however, that the closure of this investigation does not remove your obligation to comply with breach noti?cation rules under 45 C.F.R. 164.408(c) which require annual noti?cation to the Secretary of HHS of breaches affecting less than 500 individuals. The repotting form can be accessed here: ovfocrf rivac v'hi Under the Freedom of Information Act, it may be necessary for OCR to release this document and related correspondence and records upon request. In the event OCR receives such a request, we will seek to protect, to the extent provided by law, personal information, which if released, would constitute an unwarranted invasion of privaCy. If you have any questions, please contact please contact Ralph Balsamo Investigator, at (215} 861-4444 (Voice), or (215) 361-4440 (TTY). Sincerely, 32mm 645* Marlene L. Rey Acting Regional Manager