?ll-Ill DEPARTMENT OF HEALTH 8: ll UMAN SERVICES OFFICE OF THE SECRETARY Voice - (215)351-4441. {21513314440 - {215) 851-4431 Of?ce for Civil Rights, Region Ill "cm 150 S- Independence Mall West Pu hlie Ledger Building, Suite 372 Philadelphia, PA 19106-91 d! November 27, 2012 CVS Caremark 9501 E. Shea Blvd. Scottsdale, AZ 85260 Privacyr Investigator {bit?ilolti?lECJ Transaction Number: 142260 Dem. {1035) {bit?I'M?) On May 1, 2012, the Department of Health and Human Services (HI-IS), Office for Civil Rights (OCR) received a complaint alleging that CVS Carernark {Blue Cross Blue Shield pharmacy division) is not in compliance with the Federal standards for privacy of individually identi?able health information andfor the Security Standards for the Protection of Electronic Protected Health hilonnation (45 CPR Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules), Specifically, the complainant, I alleges that a CVS Caremark continues to send patient protected health information to his attention instead of the 't was intended for despite repeated attempts to correct the contact information with CVS. So a disclosure could re?ect a violation of 45 regarding irnperrnissible uses and disclosures of protected health information, 45 C.F.R. ?164.530[c) regarding safeguards, and 45 regarding breach of unsecured protected health information. OCR enforces the Privacy Rule, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. On October 2012, OCR noti?ed CVS Caremark of the complaint. We have reviewed the matters raised in the complaint. CV Caremark provided OCR with written assurance of the following: CVS Caremark conducted a full investigation of this issue and determined that provider database had I NPOIDEA, address and contact information (including the fax number) linked to the Complainant?s address and contact information. CVS noted that they rely on an outside vendor, Health Market Science (HMS), which provides CV3 with a data ?le that contains provider contact infonuatiou. CVS informed OCR that they upload the data ?le into provider database. The HMS data ?le was incorrect which resulted in thelibii?iiblti?itci faxes being sent to the Complainant. CV8 has assured OCR that they have corrected the information in their database and made sure that the HMS corrected their database for ?rture data ?le. In addition, CVS has requested retraining of certain employees regarding the proper protocol to follow upon receipt of a provider fax indicating that the communication was redirected and in the proper handling and safeguarding of PHI and CVS Caremark noted that they take their responsibility to protect the privacy of its plan participants very seriously, and they noted that they believe the steps undertaken should prevent such an incident from recurring in the ?rture. Lastly, CVS Caremark regrets any inconvenience this may have caused the Complainant due to this error. CVS provided copies of the policies and procedures regarding the issues at hand for review by OCR. All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance actions of CVS Caremark. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Amy Kaplan, at (215) 361-4446. Sincerely, 43W Barbara J. Holland Regional Manager