a? ?W?s

 

 

 

 

 

 

mu SER omen on THE 
1 voice [617} 555-1340, TDD [617) 555- 1343
FAX (517) 565-3309, h?gz?uwwhils. Of?ce for Civil Rights, Region I
?an. JFK Federal Building. Room ms
Government Center
MAY 0 8  Boston, MA 02203-0002

{bil?llbilil'ici

 

 

 

Coordinator Privacy Investigations


One CVS Drive

Woonsocket, RI 02895

Our Reference number: 01-12-134233

Dear {bli?llbimlcl 

On November 2, 2011, the U.S. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR) received a complaint alleging that the CVS pharmacy located at Quaker
Meetinghouse Road, Sandwich, MA (CVS) is not in compliance with the Federal Standards for
Privacy of Individually Protected Health Information andfor the Security Standards for the
Protection of Electronic and Security Rules (45 C.F.R. Parts 160 and 164, Subparts A, C, and E,
the Privacy and Security Rules). Speci?cally the complainant alleges that an employee 
hnpermissibly disclosed the complainant?s protected health information(PHI) when they handed
to the complainant?s mother a medication that the complainant had already picked up. On a
previous occasion, an employee attempted to give to the complainant medication for another
patient with the same last name. These allegations could re?ect violations of 45 C.F.R. 
and 164.530(c) respectively.

OCR enforces the Privacy Rule, and also enforces Federal civil rights laws which prohibit
discrimination in the delivery of health and human services because of race, color, national
origin, disability, age, and under certain circumstances, sex and religion.

CVS provided OCR with written assurances of the following: the employee responsible for the
incident was counseled, a letter of apology was sent to the complainant. Staff at this location
reviewed I-IIPAA, patient privacy and CVS policies and procedures pertaining to general use and
disclosure, protecting PHI, ?lling/dispensing prescriptions, and intemal sanctions for violations
of privacy policies. No evidence was found regarding the allegation of medication belonging to
another patient with the same last name.

CVS provided OCR with its policies and procedures related to uses and disclosures of PHI,
safeguards, minimum necessary and sanctions, all which OCR reviewed and found to be in
compiiance with the Privacy Rule.

 

 

Sb (mount?)
Page2 it it it it 1 land 

 

 

 

 

All matters raised by this complaint at the time it was ?led have now been resolved through the
voluntary compliance actions of Therefore, OCR is closing this case.

determination as stated in this letter applies only to the allegations in this complaint that
were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

[f you have any questions regarding this matter, please contact Keisha Edwards Investigator, at
(617) 565?1350 (Voice), (617) 565-1343 (TDD).

Sincerely,

Peter K. Chan
Regional Manager