aim 



.
a"









:1

?b

 

 

DEPARTMENT OF HEALTH 3: HUMAN SERVICES OFFICE OF THE SECRETARY
Voice -{212) 254-3313, (300) 303-1010 Of?ce for Civil Rights, Region II
TDD - (212) 204-2355. Jacob Javtts Federal Building

26 Federal Plaza, Suite 3312

- (212) 264-3039

New York, NY 10278

OCTI 1 2012

 

{b.ltaitbitiitci

 

 

 

Our Reference number: 12433508

 

'6.b 3
Dear {bit it it )0 i

 

 

 

Thank you for your complaint which was received by the us. Department of Health and
Human Services (HHS), Office of Civil Rights (OCR) on October 12, 2011. In your
complaint you allege that the CVS Pharmacy in Bellmore, New York (Covered Entity) is
in violaticn'of the Federal Standards for Privacy of Individually Identi?able Heaith
Information andi'or the Security Standards for the Protection of Electronic Protected
Health information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E. the Privacy and
Security Rules). Speci?cally. you allege that on October 12, 2011, a pharmacist at the
Covered Entity faiied to safeguard patients? protected heatth information when the
pharmacist let a repair person go behind the pharmacy counterto make repairs while
the computer screens were up and in use.

OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because
of race. calor. national origin, disability, age and under certain circumstances, sex and
religion. 

Upon review of your complaint, OCR contacted the Covered Entity and provided
technical assistance about safeguarding patients? PHI from impermissible uses and

disclosures. OCR informed the Covered Entity that workforce members must be vigilant

at all times about safeguarding patients? PHI and must not aliow repair persons to have
access to PHI in the absence of a HIPAA compliant business associate agreement. As
a resuit, the Covered Entity provided assurance to OCR that its entire staff will receive
training on the importance of safeguarding patient PHI as per its privacy poticy. On May
9, 2012, the Covered Entity provided OCR with documentation evidencing that its
workforce received training from May 3, 2012 through May 5, 2012 on Privacy
Rules and privacy policies. Based upon this response. we have determined that
no further OCR action is warranted, and therefore. we are closing this matter. This
determination applies only to the allegation in this complaint that was reviewed by OCR.

 

 

 

{bit?itbitl?it?i

 

 

Page 2 

 

Under the Freedom of information Act, we may be required to release this letter and
other information about this case upon request by the public. In the event OCR
receives such a request, we will make every effort, as permitted by law, to protect
information that identifies individuals or that, if released, could constitute a clearly
unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Jenny lm, Investigator,
at (212) 264-4997. Thank you for bringing this matter to our attention.

Sincer ly,

?51.45

da C. Colon
Regional Manager
Of?ce for Civil Rights
Region II