i


 

 



DEPARTME OF HEAL E: HUMAN SERVICES OFFICW
Voice [617) 565-1340. {300) 368-1019, TDD (617) 565- 1343, {300) 531-?697
FAX {611) 565-3809, Dillon for Civil Rights. Regiol 
JFK Federal Building, Room 1875
Government Center

Benoit, MA 02203-0002

OCT 1 1, 2m]
Coordinator Privacy Investigations

CVS Caremark

One CVS Drive

Woonsocket, RI 02895

 



 

 

 

Our Reference number: 1 1-127605

 

 

glimmer?) 

 

 

 

 

Dear

 

On May 25, 2011, the US. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR) received a complaint alleging a violation of the Federal Standards for Privacy of
Individually Identi?able Health Information andfor the Security Standards for the Protection of
Electronic Protected Health Information (45 CPR Parts 160 and 164, Subparts A, C, and E, the
Privacy and Security Rules). Speci?cally, complainant, a physician, alleges that CVS Caremark
impermissiny disclosed complainant? protected health information to employees of his practice
when it faxed personal prescription re?ll notices to complainant?s practice instead of to his
prescribing doctor. This allegation could re?ect a violation of 45 CPR. ?164.502(a) and


OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which
prohibit discrimination in the delivery of health and human services because of race, color,
national origin, disability, age, and under certain circumstances, sex and religion.

011 July 19, 2011, OCR noti?ed CVS Caremark of the complaint.

CVS Careka has provided us written assurance of the following: CVS was noti?ed of the
issue on May 17, 201 1. Upon investigation, CVS veri?ed that the patient?s re?ll had been
wrongly faxed to patient?s business address. This occurred as a result of a data entry mistake
whereby the patient?s information was mistakenly entered as the prescribing physician for the
prescription at issue. CVS has since corrected the record so that ?lture correspondence will be
properly directed. CVS has also apologized to complainant. The store in question?s pharmacy
staff has also hoen retrained on their responsibilities under the HIPAA Privacy Rule and CVS
policies and procedures for entering and verifying prescription information. OCR has also
reviewed policies and procedures related to safeguarding patient protected health

information as well as prescription entry procedures. These policies and procedures appear to
comply with the Privacy Rule.

All matters raised by this complaint at the time it was ?led have now been resolved through the
voluntary compliance actions of CVS Caremark. Therefore, OCR is closing this case.

determination as stated in this letter applies only to the allegations in this complaint that
were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please contact Phil Lewis, Investigator, at
565-1355 (Voice), (617) 565-1343 (TDD).

Sincerely,



Peter K. Chan
Regional Manager