OFFICE OF THE SECRETARY Of?ce for Civil Rights. Region 150 5. Independence Mall West Public Ledger Buiidlng. Suite 37'2 Philadelphia. PA 19106-3499 DEPARTMENT OF HEALTH HUMAN SERVICES Voice {215) 361-4441 TDD {215} 861-4440 FAX- (215) 361-4431 hnp:waw.hhs.govlm I May 23, 2012 {bll?iiblliilci Privacy Adviser CVS Caremark PO Box 52072 Phoenix, AZ 85072?2072 Our Transaction number: 11-123222 Deal {bli?iiblliilci and On January 31Health and Human Services (HHS), Office for Civil Rights (OCR) received a complaint fro(Complainant) alleging a violation of the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules) by Independence Blue Cross Blue Shield. Speci?cally, the Complainant alleged that CV Caremark irnperrnissibly released his protected health information. The complainant alleges that during his visit to a CV3 in Frederick, Maryland, an employee openly released the complainant?s sensitive and con?dential health information to individuals he did not know. This allegation could re?ect a violation of 45 CPR. 164.530(c) (safeguards). OCR is responsible for enforcing certain provisions of I-DPAA, Pub. L. No. 104-191, 110 Stat. 1936 (codi?ed in scattered sections of Titles 18, 26, 29, and 42 U.S.C.). In particular, OCR is responsible for enforcing the Federal Standards for Privacy of Individually Identi?able Health Information and the Security Standards for the Protection of Electronic Protected Health Information (45 (1F .R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). The Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable sry?egnards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. Sic 45 C.F.R. An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. However, an incidental use or disclosure is not permitted if it is a by-product of an underlying use or disclosure which violates the Privacy Rule. A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures. 45 C.F.R. It is not expected that a covered entity?s safeguards guarantee the privacy of protected health information from any and all potential risks. OCRTImsacticu Number: 11-123222 PageZon Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature or its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to patients? privacy. For example, when mailing protected health information, reasonable safeguards may include the covered entity ?rst con?rming that the recipient?s address is correct and verifying that only the intended information is included in the envelope. Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the ?nancial and administrative burden of implementing particular safeguards. - When impermissible disclosures occur despite a covered entity?s implementation of reasonable safeguards, the covered entity bears the responsibility of mitigating any harmful effects resulting from the disclosure. Sie 45 C.F.R. 164.530(g) (mitigation). Possible mitigation efforts could include requesting that the recipient of the misdirected protected health information destroy or return the protected health infonnation to the covered entity. Based on the allegations in the Complaint, OCR believes that, even if the facts as alleged are established as true, at most they would constitute only a ?do minimus? violation of the HIPAA Privacy Rule. As such, OCR is exercising its discretion not to investigate the allegations in this Complaint. However, to the extent that the allegations in the Complaint may have constituted a violation of the I-HPAA Privacy Rule, OCR is providing Technical Assistance to CVS Caremark with this letter, which includes guidance and information about the requirements of the HIPAA Privacy Rule surrounding disclosures incident to permissive disclosures of protected health information. In light of the Complainant?s allegations, OCR wants to ensure that CV Caremark fully understands and appreciates the requirements of the Privacy Rule and its obligations to comply with those requirements. Please be advised that, if OCR receives additional complaints which indicate that CV Caremarlr has not implemented reasonable safeguards, OCR may pursue appropriate enforcement action. OCR encourages CVS Careka to assess which safeguards are reasonable and to retrain staff members on implementing the appropriate safeguards in order to prevent impermissible uses and disclosures of protected health information. OCR also suggests that CV Caremark take all necessary steps to mitigate the effect of any known impermissible disclosures which may have occurred. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. if you have any questions regarding this matter, please contact Ralph Balsarno at 215-861-4444. Thank you for bringing this matter to our attention. ems Marlene L. Rey Acting Regional Manager