a lint?. 59' he .s OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY a . Voice - (215) 361-4441 Office for Civil Rights, Region has? TDD (215) 861-4440 150 3. Independence Mall West FAX (215) 861?4431 Public Ledger Building, Suite 37'2 Philadelphia, PA 19106-3499 March 1, 2012 Ms. Anita Nijjer Chief Privacy Officer CVS Caremark PO. Box 520?? Phoenix, AZ 85072-2072 OCR Transaction Number: 1 1-127085 Dear and Ms. Nijjer: On May 3, 2011, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint from liblislibliilicl (Complainant) alleging a violation of the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, the Complainant alleged that the she has received unsolicited patient protected health information at her home fax machine. This allegation could re?ect a violation of 45 CPR. 164.530(c) (safeguards). OCR is responsible for enforcing certain provisions of I-DPAA, Pub. L. No. 104-191, 110 Stat. 1936 (codi?ed in scattered sections of Titles 13, 26, 29, and 42 U.S.C.). In particular, OCR is responsible for enforcing the Federal Standards for Privacy of Individually Identi?able Health Information and the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). The Privacy Rule permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. 45 C.F.R. An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. However, an incidental use or disclosure is not permitted if it is a lay-product of an underlying use or disclosure which violates the Privacy Rule. A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures. SE 45 CPR It is not expected that a covered entity?s safeguards guarantee the privacy of protected health information ?om any and all potential risks. OCR Transaction Number. Page 2 of2 Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature or its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protected health information it holds, and assess the potential risks to patients? privacy. For example, when mailing protected health information, reasonable safeguards may include the covered entity ?rst con?rming that the recipient?s address is correct and verifying that only the intended information is included in the envelope. Covered entities should also take into account the potential effects on patient care and may consider other issues, such as the ?nancial and administrative burden of implementing particular safeguards. When impermissible disclosures occur despite a cove-ed entity?s implementation of reasonable safeguards, the covered entity bears the responsibility of mitigating any harmful effects resulting from the disclosure. Sing 45 C.F.R. 164.530(g) (mitigation). Possible mitigation efforts could include requesting that the recipient of the misdirected protected health information destroy or return the protected health information to the covered entity. Based on the allegations in the Complaint, OCR believes that, even if the facts as alleged are established as true, at most they would constitute only a ?dc minimus? violation of the HIPAA Privacy Rule. As such, OCR is exercising its discretion not to investigate the allegations in this Complaint. However, to the extent that the allegations in the Complaint may have constituted a violation of the Privacy Rule, OCR is providing Technical Assistance to CVS Caremark with this letter, which includes guidance and information about the requirements of the I-IIPAA Privacy Rule surrounding disclosures incident to permissive disclosures of protected health information. In light of the Complainant?s allegations, OCR wants to ensure that CVS Caremark fully understands and appreciates the requirements of the Privacy Rule and its obligations to comply with those requirements. Please be advised that, if OCR receives additional complaints which indicate that CVS Caremark has not implemented reasonable safeguards, OCR may pursue appropriate enforcement action. OCR encourages CVS Caremark to assess which safeguards are reasonable and to retrain sta?' members on implementing the appropriate safeguards in order to prevent impermissible uses and disclosures of OCR also suggests that CVS Caremark take all necessary steps to mitigate the effect of any known impermissible disclosures which may have occurred. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Ralph Balsamo at 215-861-4444. Thank you for bringing this matter to our attention. Sincerely, Marlene L. Rey Acting Regional Managm'