DEPARTMENT OF HEALTH 6: HUMAN SERVICES OFFICE OF THE SECRETARY i Voice- (215) 361-4441 office for Rights, Region TDD - (215) 361-4440 150 5. Independence Mall West FA): - (215) 361-4431 Public Ledger Building, Suite 37'2 WW Philadelphia, PA 19106?3499 Reference: 12-137466 Investigator: Janice.Flsher Contact Telephone: 202-619-0204 November 22, 2013 {bli?libliilicl em. iblidiihliiliCl On January 4, 2012, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), Region received your complaint alleging that CVS Pharmacy, the covered eitity, has violated the Federal Standards for Privacy of Individually Identi?able Health Information (45 CPR. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, you allege that an employee of CVS Pharmacy left a message regarding the availability of your prescription re?ll with a member of your household. This allegation could re?ect a violation of 45 164.510 (13), and Thank you for bringing this matter to attention. Your complaint plays an integral part in enforcement efforts. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces the Federal civil rights laws which prohibit discrimination in the delivery of health and human sendces because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. A covered entity may not use or disclose protected health information except as permitted or required by the Privacy Rule. As long as an individual does not object, a covered entity is allowed to share or disease with the individual?s family, friends, or other persons identi?ed by the individual the protected health infonnation that is directly relevant to such person?s involvement with the individual?s care or payment for care. The covered entity may ask the individual?s permission, may tell the individual that the covered entity plans to discuss the information and give the individual an opportunity to object, or may decide, using the covered entity's professional judgment, that the individual does not object. However, in any of these cases, the covered entity may discuss pg}; the information that the person involved needs to know about the individual?s care or payment ?Jr their care. The minimum necessary provision of the Privacy Rule also requires the covered entity to limit- access to protected health information by identifying the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of protected health information needed, and conditions appropriate to such access. Finally, a covered entity must provide a process for individuals to make complaints concerning the covered entity?s policies and procedures required by the Privacy Rule or its compliance with such policies and procedures or with the requirements of the Privacy Rule. 45 C.F.R. 164.530 (H We have care?ally reviewed your complaint against CVS Pharmacy and have determined to resolve this matter inibrmally through the provision of technical assistance to CV Pharmacy. Should OCR receive a similar allegation of noncompliance against CVS Pharmacy in the ?lture, OCR may initiate a formal investigation of that matter. Based on the foregoing, can is closing this case without further action, effective the date ofthis letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, couid constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Janice Fisher, Investigator, at (202) 619-0204. Barbara J. Holland Regional Manager