f?mm'tg DEPARTMENT OF HEALTH 8: HUMAN SERVICES aim-c OFFICE OF THE SECRETARY Voice- (215) 861?4441 TDD - (215) 861-4440 Fax (215) 851?4431 Reference: 14921 6 Investigator: Amy Kaplon Contact Telephone: 215-861-4446 January 9, 2013 {bii?li?ii'r'iici Deal, {bliblibiilicl Office for Civil Rights, Region 150 5. Independence Mall West Public Ledger Building, Suite 372 Phlladelphia, PA 19105-3499 On September 25, 2012, the US. Department of Health and Human Services (HHS), O?ice for Civil Rights (OCR) received a complaint from you alleging a violation of the Federal Standards for Privacy of Individually Identi?able Health Infomation andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subpatts A, C, and E, the Privacy and Security Rules) by CVS Pharmacy. Speci?cally, yon alleged that the on September 24, 2012, you asked the pharmacy technician whether your prescription would interfere with your birth control. The technician went over to the pharmacist to relay the question and while on the telephone and remaining 10-15 feet away, the Pharmacist asked you whether you were on birth control and then proceeded to inform you that the prescription would interfere with your birth control and she would put a note in your ?le indicating that you had been informed. These allegations could re?ect a violation of 45 C.F.R. 164.530(c) (safeguards) and or, impermissible disclosures of protected health information under 45 can Thank you for bringing this matter to attention. Your complaint plays an integral part in enforcement efforts. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. The Privacy Rule permits certain incidental uses and disclosures of protected health information (PHI) that occur as a by-product of another permissible or required use or disclosure of PHI, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 C.F.R. For example, the Privacy Rule permits covered health care providers to share PHI for treatment purposes without patient authorization as long as they use reasonable safeguards when doing so. These safeguards may vary depending on the mode of communication used. For example, when discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering hislher voice. We have carefully reviewed your complaint against CVS Pharmacy and have determined to resolve this matter informally through the provision of technical assistance to CVS Pharmacy. Should OCR receive a similar allegation of noncompliance against CVS Pharmacy in the future, OCR may initiate a formal investigation of that matter. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Amy Kaplan, Investigator at 215?361-4446. Thank you for bringing this matter to our attention. frame. em 1 DEPARTMENT OF HEALTH d; HUMAN SERVICES OFFICE OF THE SECRETARY Office for Civil Rights, Region 150 3. Independence Hall West Public Ledger Building, Suite 372 Philadelphia, PA 19106-3499 Voice (215)361-4441 TDD - (215} 861-444o (215)861-4431 MW Reference: 149216 Investigator: Amv Kaplan Contact Telephone: 21586 1?4446 . January 9, 2013 CVS Phannac Pharmacy Supervisor 130 Schuylkill Road Phoenixville, PA 19460 {bli?llbiiTliCl . Dear On September 25, 2012., the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received acompiaint from Ms. Catherine Flaum, alleging that CVS Pharmacy in Phoenixville, PA has violated the Federal Standards for Privacy of Individually Identi?able Health information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, the complainant alleges that, on September 24, 2012, she asked the pharmacy technician whether the prescription would interfere with her birth control. The technician went over to the pharmacist to relay the qu . . a while on the telephone and remaining 10-15 feet away, the Pharmacist asked whether she was on birth control and then proceeded to inform her that the prescription would interfere with her birth control and she would put a note in her ?le indicating that she had been informed. noted that a number of other customers overheard the- pharmacist. These allegations could reflect a violation of 45 GER. 164.530(c) (safeguards) and or, impennissible disclosures of protected health information under 45 CPR OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil rights laws which prohibit discrimination in the deliver},r of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion The Privacy Rule permits certain incidental uses and disclosures of protected health information (PHI) that occur as a by-product of another permissible or required use or disclosure of PHI, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 C.F.R. For example, the Privacy Rule permits covered health care providers to share PHI for treatment purposes without patient authorization as long as they use reasonable safeguards when doing so. These safeguards may vary depending on the mode of communication used. For example, when discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonany safeguard the information by lowering hisfher voice. In this matter, the complainant alleges the incidental use or disclosure of was not permissible, either because reasonable safeguards were not in place to prevent the use or disclosure andfor because the minimum necessary standard was not implemented when it should have been. Pursuant to its authority under 45 CPR 160.304(a) and OCR has determined to resolve this matter informally through the provision of technical assistance to CVS Pharmacy. To that end, OCR has enclosed material explaining the Privacy Rule provisions related to Incidental Uses and Disclosures, Reasonable Safeguards, and the Minimum Necessary requirement. You are encouraged to review these materials closely and to share them with your staff as part of the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your workforce. You are also encouraged to assess and determine whether there may havebeen an incident of noncompliance as alleged by the complainant in this matter, and, if so, to take the steps necessary to ensure such noncompliance does not occur in the More. Please contact OCR if you need further information regarding the allegations in this matter. Should OCR receive a similar allegation of noncompliance against CVS Pharmacy in the future, OCR may initiate a formal investigation of . that matter. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. detemrination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Amy Kaplan, Investigator at 215-861-4446. Thank you for bringing this matter to our attention. Enclosures: Incidental Disclosures Reasonable Safeguards Minimum Necessary