a! ??ute? ?a i DEPARTMENT OF HEALTH 8: HUMAN SERVICES Of?ce of the Secretary Voice - {617) 565-1340, (800) 363-1019 TDD - {617} 555-1343, (800) 537-769? Fax - (617) 565-3809 Govemrnent Center Room 18?5 Boston, MA 2203-0002 FEB 2?1 2012 {bli?llblilliCl I One CVS Drive Woonsocket, RI 02895 Our Reference number: 01-12-135229 (blt?ltbl?'l Dear (Cl and (blt?ltbl On November 23, 2011, the US. Department of Health and Human Services (HI-IS), Of?ce for Civil Rights (OCR) received a complaint alleging that CVS is in violation of the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, the complaint alleged that CVS failed to safeguard its patients? protected health information (PI-II). In addition, the complaint alleged that CVS failed to mitigate the problem once the complainant informed CVS of the issue. This allegation could re?ect violations of 45 CPR. 164.530(c) and OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. On December 12, 2011, OCR noti?ed CVS of the complaint. On January 20, 2012, OCR received response to the allegations and supporting documentation. During its investigation, OCR discovered the following: the issues the complainant was experiencing were originating from CVS Store No. 5750 in Winchester, Virginia. The pharmacy staff at that location had been mistakenly ?lling prescriptions for one of their patients under the complainant?s record. The patient at CVS Store No. 5750 has the same name and date of birth as the complainant. The Pharmacy Supervisors for both the complainant?s location and for Store No. 5750 worked together to resolve the matter. Speci?cally, CVS provided OCR with written assurances of the following corrective actions taken in response to this complaint: the incorrect information on the complainant?s prescription record was deleted; the record for the other patient involved in this incident was corrected and updated; any incorrect insurance billings were reversed; middle initials were added to the pro?les for both patients; a note was added to the Of?ce for Civil Rights, Region I J.F. Kennedy Federal Building, Page No: 2, Transaction Nos 12-135229 complainant?s record to alert pharmacy sta??s that they should always verify the patient's address; the CVScom department con?rmed that the records for both patients were no longer linked and that the complainant would no longer be able to view any other patients information in her online account; CVS sent the complainant a letter of apology for the incident; and the entire pharmacy staff for CVS Store No. 5750 were sanctioned in accordance with sanction policy and were counseled and retrained on HIPAA and CVS Caremark's privacy policies regarding safeguarding patient PHI, patient veri?cation and internal sanctions for violations of CVS Caremark?s privacy policies andfor Federal and State privacy laws. In addition, CVS provided OCR with its policies and procedures related to safeguarding patient PHI, receiving and responding to patient complaints, CVScom?s online pharmacy management systems? policy and procedures for handling complaints, and evidence of retraining, all of which OCR reviewed and found to be in compliance with the Privacy Rule. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of CVS. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Erin Walker, Investigator, at Erin.Walker hhs. ov, or (617) 565?1351 (Voice), (617) 565-1343, (800) 537-7697 (TDD). Sincerely, Peter K. Chan Regional Manager