511'? m: .



11,4?

 

DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY
voice -{212} 264-3313, (soc) ass-1019 omen for Civil Rights, Region II
TDD- (212} 254-355. (soc) sat-rest Jacob Javits Federal Building
(FAX) (212) 25445039 26 Federal Plaza, Suite 3312
New York, NY were

 



1 5 2013

 

 

 

Dear

OCR Transaction Number: 12446465


 

On July 25, 2012, the us. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), Region received your complaint alleging that CVS Pharmacy store
located at 8970 S. Meridian Street, lndianapolis, IN 46217 (CV5), the covered entity,
has violated the Federal Standards for Privacy of individually Identi?able Health
Information (45 C.F.R. Parts 160 and 164, Subpalts A and E, the Privacy Rule). The

complaint was forwarded to the Re ion ll offi for consideration. Speci?cally, you
allege that. on July 23. 2012, an estranged acquaintance and an

employee of CVS, disclosed your me real condition to a mutual acquaintance of your
girlfriend. This allegation could re?ection a violation of 45 C.F.R. 164.510
and 164.530tc).

Thank you for bringing this matter to OCR's attention.
pad in enforcement efforts.

Your complaint plays an integral

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces
the Federal civil rights laws which prohibit discrimination in the delivery of health and
human services because of'raoe, color, national origin, disability, age, and under certain

circumstances, sex and religion.

A covered entity may not use or disclose protected health information except as I
permitted or required by the Privacy Rule. As long as an individual does not object, a
covered entity is allowed to share or discuss with the ind ividual's family, friends, or other
persons identi?ed by the individual the protected health information that is directly
relevant to such person?s involvement with the individual's care or payment for care.
The covered entity may ask the individual?s permission, may tell the individual that the
covered entity plans to discuss the information and give the individual an opportunity to
object, or may decide, using the covered entity's professional judgment, that the
individual does not object. However, in any of these cases, the covered entity may
discuss o_nly the information that the person involved needs to know about the
individual?s care or payment for their care.

The minimum necessary provision of the Privacy Rule also requires the covered entity
to limit access to protected health information by identifying the persons or classes of

 

 

 

 

Page 2 of 2- {bliEiliblii'iiCl

 

 

 

persons within the covered entity who need access to the information to carry out their
job duties. the categories or types of protected hearth information needed. and
conditions appropriate to such access.

Finally, a covered entity must provide a process for individuals to make complaints
concerning the covered entity?s policies and procedures required by the Privacy Rule or
its compliance with such policies and procedures or with the requirements of the Privacy
Rule. 45 CPR. 164.530 

We have carefully reviewed your complaint against CVS and have determined to
resolve this matter informally through the provision of technical assistance to CVS.
Should OCR receive a similar allegation of noncompliance against CV8 in the future,
OCR may initiate a formal investigation of that matter.

Based on the foregoing, OCR is closing this case without further action. effective the
date of this letter. OCR's determination as stated in this letter applies only to the
allegations in this complaint that were reviewed by OCR. -

Under the Freedom of lnfonnation Act, we may be required to release this letter and
other information about this case upon request by the public. in the event OCR
receives such a request, we will make every effort, as permitted by law, to protect

information that identi?es individuals or that, if released, could constitute a clearly
unwarranted invasion of personal privacy. 

Should you have any questions regarding this matter, please contact Robert Chilila,
Investigator. by email at or by telephone at (212) 264-8900
(Voice). or (212) 264-2355 (TDD). Thank you for bringing this matter to our attention.

Since ly,

   

 

 

a C. Colon
Regional Manager

 

 

and Cl 1'

 

$19 
DEPARTMENT OF HEALTH a HUMAN SERVICE OFFICE OF THE SECRETARY
is Voice - {212) 264-3313, {coo} ass-1019 case he can Rights, Region II
TDD - {212; 254.2355. {son} 537-?69? Jacob Javits Federal Building
(FAX) 421212545039 26 Federal Plaza, Suite 3312
New iterator 10m
{Uli?ltbliili?l Director

160 and 164, SubpartsA and E, the Privacy 

1 5 2013

orrnation Governance and Privacy
9501 Shea 
Scottsdale, AZ 85260-8719

OCR Transaction Number: 12446465

{bltfit?i 

 

Dear

 

 

 

On July 25, 2012, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), Region V, received a complaint alteging that CVS Pharmacy store located at
8970 S. Meridian Street, Indianapolis, IN 46217 (CV8), the covered entity, has violated the
Federal Standards for Privacy of individually Identi?able Health Information (45 C.F.R. Parts

  

I 
Region ilof?celformg ?id?ta?utl' .Speci?cally, 
July 231 an estranged acqual

disclosed her medical condition to a mutual acquaintance of her

girlfriend. This allegation could
re?ection a violation of 45 C.F.R.

164.510 and 

OCR enforces the Privacy, Security, and Breach Noti?cation Ruies, and also enforces the
Federal civil rights iaws which prohibit discrimination in the delivery of health and human
services because of race, color, nationai origin, disability, age, and under certain
circumstances, sex and religion.

Pursuant to the Privacy Rule, a covered entity may not use or disclose protected health
information (PHI) except as permitted or required bythe Privacy Rule. As long as an individual
does not object, a covered entity is allowed to share or discuss the individual?s health
information with the individuai's family, friends, or others involved in the individuai's care or
payment for their care. The covered entity may ask the individual?s permission, may teli the
individual that the covered entity plans to discuss the information and give the individual an
opportunity to object, or may decide, using the covered entity?s professional judgment, that the
ind ivid does not object. However, in any of these cases, the covered entity may discuss
my the information that the person involved needs to know about the individ uai's care or
paymentfor their care.

The minimum necessary provision of the Privacy Rule also requires the covered entity to limit
access to protected health information by identifying the persons or classes of persons within

information to carryI out their job duties, the
categories or types of protected heaith information needed, and conditions appropriate to such
access.

 

 

 

{tlt?ilblE?i?ltcl

Page 2 on-

 

 

 

_Finally, a covered entity must provide aprocess for individuals to make complaints concerning
the covered entity?s policies and procedures required by the Privacy Rule or its compliance
with such policies and procedures or with the requirements of the Privacy Rule. 45 CPR. 

. 164.530 

in this matter, the complainant alleges that the complainant?s was impermissiny disclosed
to a member of the complainant's family or to an acquaintance of the complainant or that the
complainant?s PHI was otherwise imperrnissibly used by an employee of CVS. Pursuant to its
authority under 45 C.F.R. 160.304(a) and OCR has determined to resolve this matter
infonnaliy through the provision of technical assistance to CVS. To that and, OCR has
enclosed material explaining the Privacy Rule provisions related to Disclosures to Family and
Friends, the Minimum Necessary Requirement, and Reasonable Safeguards.

it is our expectation that you will review these materials closer and share them with your staff
as part ofthe Health insurance Portability and Accountability Act (HIPAA) training you provide

and. if so, to take the steps necessary to ensure such noncompliance does not occur in the
future. Please contact OCR if you need further information regarding the allegations in this
matter. Should OCR receive a similar ailegation of noncompliance against CV8 in the future,
OCR may initiate a formal investigation of that matter.

Based on the forgoing, OCR is closing this case without further action, effective the date of this
letter. OCR's determination as stated in this letter applies only to the allegations in this 
complaint that were reviewed by OCR.

Under the Freedom of information Act, we may be required to release this letter and other
information about this case upon request by the public. in the event OCR receives such a
request. we will make every effort, as permitted by law, to protect inforrnaticn that identi?es
individuals or that, If released, could constitute a clearly unwarranted invasion of personal
pnvaoy.

Should you have any questions regarding this matter, please contact Robert Chirila,
investigator, by email at or by telephone at (212) 264-8900 (Voice), or
(212) 264-2355 (TDD). Thank you for bringing this matter to our attention.

Sincerely, 

gig/Fr

da (3. Colon
Regional Manager

Enclosures: Disclosures to Fernin and Friends
The Minimum Necessary Requirement
Reasonable Safeguards