(r RIJ 0? ?t 5-9: i'J'r?n'leud 1.11mi -. yet "a OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY Voice - (212)264-3313, (coo) scams Of?ce for Civil Rights, Region II TDD - (212) 264-2355 Jacob Javits Federal Building (21212643039 as Federal Plaza, Suite 3312 New York, NY 10273 {hiltsithimici Re: OCR Transaction Number: 12-133349 {blt?l {biti'ltCl Bear I: On January 19, 2012, the US. Depaitment of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), received your complaint alleging that a pharmacist at CVS Pharmacy, the covered entity, has violated the Federal Standards for-Privacy of individually identifiable Health Information (45 C.F.R. Parts 160 and 164, Supports A and E, the Privacy Rule). The complaint was sent to Region II for consideration. Specifically, you allege that, a pharmacist at CVS Pharmacy called your home and gave a family member complete details about your prescription without your permission. This allegation could re?ect a violation of 45 C.F.R. 164.510 and 164.530tc). Thank you for bringing this matter to attention. Your complaint plays an integral part in OCR's enforcement efforts. . OCR enforces the Privacy, Security, aid Breach Noti?cation Rules, and also enforces the Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, coior, national origin, disability, age, and under certain circumstances, sex and religion. A covered entity may not use or disclose protected health information except as permitted or required by the Privacy Rule. As long as an individual does not object, a covered entity is allowed to share or discuss with the individual?s family, friends, or other persons identified by the individual the protected health information that is directly relevant to such person?s involvement with the individual's care or payment for care. The covered entity may ask the individual?s permission, may tell the individual that the covered entity plans to discuss the information and give the individual an opportunity to object, or may decide, using the covered entity?s professional iudgment, that the individual does not object. However, in any of these cases, the covered entity may discuss c_nl_y the information that the person involved needs to know about the individuals care or payment for their care. The minimum necessary provision of the Privacy Rule also requires the covered entity to limit access to protected health information by identifying the persons or classes of persons within the covered entity who need access to the information to carryout theirjob duties, the categories or types of protected health information needed, and conditions appropriate to such access. The Privacy Rule permits certain incidental uses and disclosures of protected health information that occur as a by?product of another pennissible or required use or disclosure of PHI, as page 2 I long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 C.F.R. For example, the Privacy Rule permits covered health care providers to share PHI for treatment purposes without patient authorization as tong as they use reasonable safeguards when doing so. These safeguards may vary depending on the mode of communication used. For example, when discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering hisfher voice. Finally, a covered entity must provide a process for individuals to make complaints concerning the covered entity?s policies and procedures required by the Privacy Rule or its compliance with such policies and procedures or with the requirements of the Privacy Rule. 45 C.F.R. 164.530 We have carefully reviewed your complaint against CVS Pharmacy and have determined to resolve this matter informally through the provision of technical assistance to CVS Pharmacy. Shouid OCR receive a similar allegation of noncompliance against CVS Pharmacy in the future, OCR may initiate a formal investigation of that matter. Based on the foregoing, OCR is ciosing this case without further action. effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this tetter and other information about this case upon request by the public. in the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuats or that, if released, could constitute a clearly unwarranted invasion of personal privacy. if you have any questions regarding this matter, please contact Shirlene Peterson at (212) 264- 3321 (Voice) or (212) a. . da C. Colrbn egional Manager ?evict-5. at I ?EM.le militias information with the DEPARTMENT OF HEALTH er HUMAN SERVICES OFFICE OF THE SECRETARY voice - (212) 254.3313, (soc) ass-rots Of?ce for Civil Rights, Region II TDD - (212) Jacob Javits Federal Building (FAX) - (2121 264-3039 as Federal Plaza, Suite 3312 maddenth g?iocri New York, NY 10278 Privacy Of?cer - - CVS Pharmacy 1 9 7.913 1385 West Henderson Road Upper Arlington, OH 43220 Re: OCR Transaction Number: 12433349 Dear Privacy Of?cer: On January 19, 2012, the us. Department of Heaith and Human Services (HHS), Of?ce for Civil Rights (OCR), received a complaint alleging that a pharmacist at CVS Pharmacy. the covered entity, has violated the Federal Standards for Privacy of Individually identifiable Health Information (45 C.F.R. Parts 160 and 164, Subparts tile), The complaint was sent to Region II for consideration. Speci?cally, lleges that, a pharmacist at CVS Pharmacy calied her home and gave a family member complete details about her prescription without her permission. This allegation could re?ect a violation of 45 CPR. 164.510 and 164.530tc), OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces the Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances. sex and religion. Pursuant to the Privacy Rule, a covered entity may not use or disclose protected health information (PHI) except as permitted or required by the Privacy Rule. As long as an individual does not object, a covered entity is allowed to share or discuss the individual?s health individuai?s family, friends, or others invotved in the individual?s care or payment for their care. The covered entity may ask the individual's permission, may tell the individual that the covered entity plans to discuss the information and give the individual an opportunity to object, or may decide, using the covered entity?s professional judgment, that the individual does not object. However,_in any of these cases, the covered entity may discuss my the information that the person involved needs to know about the individual?s care or payment for their care. The minimum necessary provision of the Privacy Rule also requires the covered entity to limit access to protected health infonnaticn by identifying the persons or classes of persons within the covered entity who need access to the information to carry out theirjob duties, the categories or types of protected health information needed, and conditions appropriate to such access. Page 2 Privacy Of?cer Finally, a covered entity must provide a process for individuals to make complaints concerning the covered entity?s policies and procedures required by the Privacy Rule or its compliance with such policies and procedures or with the requirements of the Privacy Rule. 45 OF. R. 164.530 The Privacy Rule permits certain incidental uses and disclosures of protected health information (PHI) that occur as a byproduct of another permissible or required use or disclosure of PHI, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 C.F.R. For example, the Privacy Rule permits covered health care providers to share PHI for treatment purposes without patient authorization as long as they use reasonable safeguards when doing so. These safeguards may vary depending on the mode of communication used. For example. when discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering hisfher voice. in this matter, the complainant alleges the complainant's PHI was impermissibly disclosed to a member of the complainant?s family or to an acquaintance of the complainant or that the complainant's PHI was otherwise impermissibly used by CVS Pharmacy andfor that the incidental use or disclosure of PHI was not pennissibie, either because reasonable safeguards were not in place to prevent the use or disclosure andlor because the minimum necessary standard was not implemented when it should have been. Pursuant to its authority under 45 C.F.R. 160.304(a) and OCR has determined to resolve this matter informally through the provision of technical assistance to CVS Pharmacy. To that end, OCR has enclosed material explaining the Privacy Rule provisions related to incidental Uses and Disclosures, Reasonable Safeguards, and the Minimum Necessary requirement and Disclosures to Family and Friends. It is our expectation that you will review these materials closely and share them with your staff as part of the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your workforce. It is also our expectation that you will assess and determine whether there may have been an incident of noncompliance as alleged by the complainant in this matter, and, if so, to take the steps necessary to ensure such noncompliance does not occur in the future. Please contact OCR if you need further information regarding the allegations in this matter. Should OCR receive a similar allegation of noncompliance against you in the future, OCR may initiate a fonnai investigation of that matter. Based on the forgoing, OCR is closing this case without further action, effective the date of this letter. OCR's determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. in the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal pnvacy. Page 3 Privacy Officer If you have any questions regarding this matter. piease contact Shirlene Peterson at (212) 264- 3321 (Voice) or (212) Enclosures: Disclosures to Famin and Friends The Minimum Necessary Requirement Reasonabie Safeguards Incidental Uses and Disclosures