a

HIM-TH
at 4 #0

be.

 


Si- 

 

DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY

Voice - (212) 264-3313, (sou) see-1019 Of?ce for Civil Rights, Region 11
am, Too (212} 254?2355, 1800)537?769? Jacob Javits Federal Building

(FAX) - [212] 234-3039 26 Federal Plaza, Suite 3312

 

 

 

 

 

 

museum New York, NY 10273
(blt?liblti?itcl
JUL 2 2 2313
IWmimicJ I Privacy Investigator
CVS Pharmacy 
One CV8 Drive

Mail Drop
Woonsocket, Rhode island 02395

OCR Transaction Number: 12-146189

 

 



 

 

Bear and

 

 

 

 

On July 23, 2012, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR) received a complaint alleging that CVS Pharmacy (CV8) is not in compliance
with the Federal Standards for Privacy of individually Identi?able Health information andior the
Security Standards for the Protection of Electronic Protected Health Information (45 C.

0 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally,
[the complainant) asserts that on July 9, 2012, he requested that CV8 communicate
wI Im regarding his protected health information (PHI) only to his cell phone. The
complainant also asserts that he requested that his medication not be delivered to his home
address. but instead be ready for pick up. The complainant alleges that subsequently, CVS
contacted his home number regarding his PHI, and delivered his medication to his home
address. As a result, the complainant alleges that his PHI was disclosed to his wife.

 

OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws that
prohibit discrimination in the delivery of health and human services because of race, color,
national origin, disability, age, and, under certain circumstances, sex and religion.

On October 15, 2012, OCR noti?ed CV8 of the complaint.

We have reviewed the matter alleged in the complaint. The complainant advised OCR that he
usually fills his prescriptions at the CVS store located on 87'? Street, New York City, NY, which
delivers them to his home address. However, on July 9, 2012, he took his prescription to
another CV8 store located at 1500 Lexington Avenue, New York, NY, and requested that the
store communicate with him regarding his PHI only via his cell phone. The complainant also
stated that he requested that his medication not be delivered to his home. but instead be ready
for pick up. The complainant informed OCR thata CV8 technician at the Lexington
Avenue location, agreed to his request that CV8 contact him only via his cell phone. However,
the complainant advised OCR thatid not respond to his request that the store not
deliver his medication to his home. The complainant advised OCR that in spite of his requests,

 

 

 

 

 

{bit?ilbiifiici 6 1" 
Page 2 013- and 3' I

 

 

 

 

 

 

CV5 contacted him at his home telephone number and delivered his medication to his home,
and as a result, his wife received and opened the delivery bag containing his medication.

Based on investigation, the covered entity advised OCR that it conducted an internal
investigation into this matter. CV8 acknowledged that after the complainant requested that he
be contacted only at his cell phone number. The covered entity also acknowledged that its
store located at 1500 Lexington Avenue did not follow the complainant?s request and contacted
him at his home telephone number. However, with respect to his request regarding delivery of
his medication, CV8 advised OCR that it has no record of the complainant's request that his
prescription be held at the store and not be delivered to his home address.

CV8 advised OCR that the technician at the Lexington Avenue location who received
the complainant?s request that CV8 communicate with him only via his cell phone, failed to add
a note to the system documenting the complainant?s request. Because the store did not have
the full quantity of the prescribed medication. another technician contacted the complainant at
his home number and left a message to inform him of the shortage of medication. CV8
advised OCR that the technician did not disclose any PHI during the message. OCR notes that
the complainant con?rmed that the message did not contain the name of his medication. OCR
also notes that although his wife was present, it was the complainant who listened to the
message.

As a result of this incident, CV8 took corrective measures to ensure that this type of error does
not recur. Speci?cally, CV8 advised OCR that on July 16, 2012, the Pharmacy Supervisor
contacted the complainant and apologized for the incident. CV8 advised OCR that because it
was unable to identify the technician who contacted the complainant at his home number the
second time, in November 2012, the pharmacist in charge retrained the entire staff of the store
located at 1500 Lexington Avenue with respect to CV8's HIPAA policies and procedures
regarding sanctions and alternative communications.

review of policy and procedure with respect to alternative
communications provision revealed that the policy that applies to its pharmacy stores unit,
which is a health care provider states that, will accommodate reasonable customer
requests to receive communications of PHI by alternative means or at alternative locations if
the customer clearly states that the disclosure of all or part ofthat information couid endanger
the customer if the Alternative Communication request is not granted?. OCR advised CV8 that
while its policy complies with the Privacy Rule?s provision for health plans, the policy is
contrary to the Privacy Rule?s provision with respect to health care providers. Speci?cally,
according to the Privacy Rule, health care providers may not require an explanation from the
individual as to the basis forthe request as a condition at providing communications on a
con?dential basis. As a result, CV8 provided OCR with written assurances that on July 2,
2013, it revised its policy that applies to its pharmacy stores unit regarding alternative
communications, and will implement it by the end of July 2013.

With respect to the complainant?s allegation that he requested CV8 not to deliver his
medication, but instead hold it for pick up, CV8 denied that it had any record of the

 

 

 

Page 3 of land I

 

complainant's request. In addition. according to the complainant, CVS delivered his medication
in a brown bag and it was only when his wife opened the bag that she became privy to the
complainant's medication. The Privacy Rule requires that covered entities have in place
appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. In
this instance, there is no evidence that CV8 did not safeguard the complainant?s PHI.
Therefore, OCR ?nds that CV8 did not violate the Privacy Rule when it delivered the
complainant?s medication at his home address.

In light of the corrective action measures taken by the covered entity, OCR deems that all
matters raised by this complaint at the time it was ?led have now been resolved through the
voluntary compliance actions of the covered entity. Therefore, OCR is closing this case.

determination, as stated in this letter, applies only to the allegations in this complaint
that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by taw, to protect information that identi?es

individuals or that, if released, could constitute a clearly unwarranted invasion of personal
pnvacy.

If you have any questions regarding this matter, please contact Robert Chirila, Investigator, by
email at robert.chirila@hhs.gov or by telephone at (212) 264-3900 (Voice), or (212) 264-2355
(TDD). Thank you for bringing this matter to our attention

 

Regional Manager