OFFICE on THE SECRETARY
Of?ce for Civil Rights, Region 
150 3. Independence Mall West
Public Ledger Building. Suite 372
Philadelphia, PA 19106-3499

DEPARTMENT OF HEALTH 3r. HUMAN SERVICES
Voice - (215} 861-4441

TDD (215} 861-4440

FAX (215) 361-4431

.goviggr

February 3, 2012

 



 

 

 

 



 

 

 

Privacy Adviser, CVS Caremarlt

PO Box 52072

Phoenix, AZ 85072-2072

OCR Transaction Number: 1 1-126426
{bli?llblilliCl

 

 

 

 

Dear and

On April 13, 201 1, the U.S. De artment of Health and Human Services (HI-IS), Office for Civil Rights
(OCR) received a complaintComplainant) alleging a violation of the Federal Standards
for Privacy of Individually Identi?able Health Information andl'or the Security Standards for the Protection
of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy
and Security Rules) by CVS Caremark (covered entity). Speci?cally, the Complainant alleged that the
covered entity impermissiny faxed the protected health information of other individuals to the Complainant.
This allegation could re?ect a violation of 45 CPR. 164.530(c) (safeguards).

 

 

 

 

OCR is responsible for enforcing certain provisions of HIPAA, Pub. L. No. 104-191, 110 Stat. 1936
(codi?ed in scattered sections of Titles 13, 26, 29, and 42 U.S.C.). In particular, OCR is responsible for
enforcing the Federal Standards for Privacy of Individually Identi?able Health Information and the Security
Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164,
Subparts A, C, and E, the Privacy and Security Rules).

The Privacy Rule permits certain incidental uses and disclosures that occur as a by?product of another
permissible or required use or disclosure, as long as the covered entity has applied reasonable
safeguards and implemented the minimum necessary standard, where applicable, with respect to the
primary use or disclosure. See 45 C.F.R. An incidental use or disclosure is a
secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs
as a result of another use or disclosure that is permitted by the Rule. However, an incidental use or
disclosure is not permitted if it is a by-product of an underlying use or disclosure which violates the
Privacy Rule.

A covered entity must have in place appropriate administrative, technical, and physical safeguards that
protect against uses and disclosures not permitted by the Privacy Rule, as well as

that limit incidental uses or disclosures. 45 C.F.R. It is not expected that a covered
entity?s safeguards guarantee the privacy of protected health information from any and all potential
risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors,
such as the size of the covered entity and the nature or its business. In implementing reasonable

 

 

OCR Transaction Number: 1 1-126426 Page 2 of 2

safeguards, covered entities should analyze their own needs and circumstances, such as the nature of
the protected health information it holds, and assess the potential risks to patients? privacy. For
example, when mailing protected health information, reasonable safeguards may include the covered
entity ?rst con?rming that the recipient?s address is correct and verifying that only the intended
information is included in the envelope. Covered entities should also take into account the potential
effects on patient care and may consider other issues, such as the ?nancial and administrative burden
of implementing particular safeguards.

When impermissible disclosures occur despite a covered entity?s implementation of reasonable
safeguards, the covered entity bears the responsibility of mitigating any harmful effects resulting from
the disclosure. it; 45 CPR. (mitigation). Possible mitigation efforts could include
requesting that the recipient of the misdirected protected health information destroy or return the
protected health information to the covered entity.

Based on the allegations in the Complaint, OCR believes that, even if the facts as alleged are
established as true, at most they would constitute only a ?do minimus? violation of the HIPAA Privacy
Rule. As such, OCR is exercising its discretion not to investigate the allegations in this Complaint.
However, to the extent that the allegations in the Complaint may have constituted a violation of the
HIPAA Privacy Rule, OCR is providing Technical Assistance to the covered entity with this letter,
which includes guidance and information about the requirements of the I-IIPAA Privacy Rule
surrounding disclosures incident to permissive disclosures of protected health information. In light of
the Complainant?s allegations, OCR wants to ensure that the covered entity ?tlly understands and
appreciates the requirements of the Privacy Rule and its obligations to comply with those
requirements.

Please be advised that, if OCR receives additional complaints which indicate that the covered entity
has not implemented reasonable safeguards, OCR may pursue appropriate enforcement action. OCR
encourages the covered entity to assess which safeguards are reasonable and to retrain staff members
on implementing the appropriate safeguards in order to prevent impermissible uses and disclosures of
PHI. OCR also suggests that the covered entity takes all necessary steps to mitigate the effect of any
known impermissible disclosures which may have occurred.

Under the Freedom of Information Act, we may be required to release this letter and other information
about this case upon request by the public. In the event OCR receives such a request, we will make
every effort, as permitted by law, to protect information that identi?es individuals or that, if released,
could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Ralph Balsamo at (215) 361-4444.
Thank you for your participation in this matter to our attention.

Sincerely,

am, 

Marlene L. Rey
Acting Regional Manager