0' ?who



DEPARTMENT OF HEALTH Er HUMAN SERVICES W09 0f the 390mm?

 

Voice - {617} 565-1340. (300} 3584019 Of?ce fer Civil Rights. Region I

 

TDD - (61 565-1343. (300) 531769? Government Center
Fax - [617} 565-3809 JP. Kennedy Federal Balding,
Room 18?5
2 2812 Boston. 
(blt?lxt?lli?ltcl

 

 

 

 

I

 

Privacy Investigator
CVS

One CVS Drive
Woonsocket, RI 02895

Our Reference number: 01-12-139121

 

 



{slid} {bitiltcl and he)

Dear

 

 

 

 

 

 

On February 15, 2012, the US. Department of Health and Ilurnan Services (HHS), Office for
Civil Rights (OCR) received a complaint alleging a violation of the Federal Standards for
Privacy of Individually Identi?able Health Information andfor the Security Standards for the
Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A,
C, and E, the Privacy and Security Rules). Speci?cally, the complaint alleged that CVS
impermissiny disclosed the complainant?s protected health information (PHI). This allegation
could re?ect violations of 45 CPR. 164.502(a) and 

OCR. enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which
prohibit discrimination in the delivery of health and human services because of race, color,
national origin, disability, age, and under certain circumstances, sex and religion.

011 March 5, 2012, OCR noti?ed CVS of the complaint. On April 13, 2012, CVS responded to
the complaint allegations and provided supporting documentation.

5 provided OCR with mitten assurances of the following: CVS conducted an investigation
which determined that a workforce member had inadvertently given the complainant?s
prescription to another patient. The other patient's mother who received the prescription in error
came back to the pharmacy to return the medication. The workforce member that. made the cow
was sanctioned in accordance with sanctions policy, and retrained on the veri?cation of
patient information at pick up. In addition, CVS retrained the entire staff on protecting P111 and
the internal sanctions policy.

CVS provided OCR with a copy of its policies and procedures related to uses and disclosures of
PHI, safeguards, and evidence of the sanctions taken against the workforce member at issue in

Page No.: 2, Transaction No: 12-13912}

this incident, as weil as evidence of the entire stafi? rte-training. All of which OCR reviewed and
found to be in compliance with the Privacy Rule.

All matters raised by this complaint at the time it was ?led have now been resolved through the
voluntary compliance actions of CVS. Therefore, OCR is closing this case.

determination as stated in this letter applies only to the allegations in this complaint that
were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

[f you have any questions, please contact Erin Walker, Investigator, at Erin.Walker@hhs.gov,
(617) 565-1351 (Voice), (617) 565-1343, (300) 537-?697 (TDD).

 

Sincerely,



Peter K. Chan
Regional Manager