its $11111" . MA 5E VI ES OFFIC DFTH RY A HE LT Office for Civil nights, Region in [50 S. Independence Mall West Public [edger Building, Suite 312 Philadelphia, PA 19106-3499 Voice (215)361-4440 rm: - {215) est??st September 2012 {bliEil Our Transaction number: 03-12-138259 -, {bl?libl?hcl On January 24, 2012, the US. Deparnnent of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), Region received a complaint from (Complainant) alleging that CVS Pharmacy (the covered entity), has violated the Federal Standards for Privacy of Individually Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally your complaint alleges that a CVS employee failed to use reasonable safeguards when addressing your concerns about your prescription. More speci?cally, the employee?s voice was audible to other pharmacy patients during your discussion with the pharmacy staff member. These allegations could re?ect a violation of 45 CPR 164.502(a) (impermissible disclosure) and 45 C.F.R. (Safeguards). Thank you for bringing this matter to attention. Your complaint plays an mtegral part in enforcement efforts. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. The Privacy Rule permits certain incidental uses and disclosures of protected health information (PI-II) that occur as a by-product of another permissible or required use or disclosure of PHI, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 C.F.R. For example, the Privacy Rule permits covered health care providers to share PHI for treatment purposes without patient authorization as long as they use reasonable safeguards when doing so. These safeguards may vary depending on the mode of communication used. For example, when discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering hisfher voice. We have carefully reviewed your complaint against CVS Pharmacy, and the staff and have determined to resolve this matter informally through the provision of technical assistance to CVS Pharmacy and the staff. Should OCR receive a similar allegation of noncompliance against CVS Pharmacy and the staff in the future, OCR may initiate a formal investigation of that matter. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of InfonnationAct, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Janice Fisher, Investigator, at (202) 619-0204 (Voice), 215-861-4441. Sincerely, efm W/m Frank Campbell Acting Regional Manager fawn a? a DEPART OFHEA TH MANSE VIC OFF CE FT SE ET Voice 4215531444?. {215) 851?4440 FAX - (215)361-4431 0m? forCIul Rights, Region 150 5. Independence Mall West 513mm Public Ledger Building, Suite 372 Philadelphia, PA [9106-3499 September 5, 2012 {bll?libllill?l Privacy O?icer CVS Caremark One CVS Drive Woonsoeket, RI 02895 Re: OCR Transaction Number: 12-138259 Deal. {Dll?l {Dilill?l On January 24, 2012, the us. Department of Health and Human Services HHS), Of?ce for Civil Rights (OCR), Region received a complaint from (Complainant) alleging that CVS Pbammcy (the covered entity), has violat - the Federal Standards for Privacy of Individually Identi?able Health Information (45 CPR. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, the complainant alleges that a CVS employee failed to use reasonable safeguards when addressing the Complainant?s concerns about her prescription. More speci?cally, the employee?s voice was audible to other pharmacy patients during her discussion with Complainant. These allegations could re?ect a violation of45 C.F.R. 164.502(a) (impermissible disclosure) and 45 C.F.R. ?164.530(c) (Safeguards). OCR enforces the Privacy, Security, and Breach Notification Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. The Privacy Rule permits certain incidental uses and disclosures of protected health information (PI-II) that occurs as a by-product of another permissible or required use or disclosure of PHI, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 C.F.R. 164.5m(a) (1) For example, the Privacy Rule permits covered health care providers to share PHI for treatment purposes without patient authorization as long as they use reasonable safeguards when doing so. These safeguards may vary depending on the mode of couununication used. For example, 1uhen discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonany safeguard the information by lowering hisfher voice. We have carefully reviewed your complaint against the practice of CVS Pharmacy and have determined to resolve this matter informally through the provision of technical assistance to CVS We have carefully reviewed your complaint against the practice of CVS Pharmacy and have determined to resolve this matter informally through the provision of technical assistance to CVS Pharmacy. Should OCR receive a similar allegation of noncompliance CVS Pharmacy in the . future, OCR may initiate a formal investigation of that matter Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other infonnation about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you should have any questions, please do not hesitate to contact Ms. Janice M. Fisher of my sta? at (202) 619-0204 or (215) 861-4441. Sincerely, . - AZ. Frank Campbell Acting Regional Manager Enclosures: Incidental Disclosures Reasonable Safeguards Minimum Necessary