wintry.
is;


at

'5
21'






gal?: :02

a.

 

OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY

 

Voice - (212) 254-3313. (soc) 368-1019
TDD - (212) 264-2355
- (212) 264-3039

Of?ce for Civil Rights, Region 1]
Jacob Javits Federal Building
26 Federal Plaza, Suite 3312

 

 

 

 

 

pontoon New York, NY 10278
(seizures)
SEP 2 7 2013
Re: OCR Transaction Number: 13-152550

Dear

 

 

 

On November 30, 2012, the US. Department of Health and Human Services (HHS),
Of?ce for Civil Rights (OCR), received your comptaint alleging that Caremark, the
covered entity, has violated the Federal Standards for Privacy of individually Identi?able
Health Information andfor the Security Standards forthe Protection of Electronic
Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the
Privacy and Security Rules)- Specifically, you allege that the covered entity
impermissibl disclosed our protected health information (PHI) to an unintended third-
party, {b?m-im?lm iled your prescription medications to her address.
You further allege that granddaughters PHI was impermissiny disclosed
to you when you receive gran daughter?s medication in the mail. This altegation
could re?ect a violation of 45 C.F.R. 164.502Ia), and 3t 

      
   

{bltEltblii'ifCl

   
 

 

 
 

Thank you for bringing this matter to OC R?s attention. Your complaint is an integral part
of OCR's enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal
civil rights laws which prohibit discrimination in the delivery of health and human
services because of race, color, national origin. age, and under certain
circumstances, sex and religion.

Please be advised, a covered entity may not use or disclose an individual?s PHI without
an authorization unless permitted or required by the Privacy Rule. Please be further
advised, that a covered entity must implement reasonable physical, technical, and
administrative safeguards in order to protect PHI from impermissible uses and
disclosures.

We are pleased to inform you that your complaint in this matter has been resolved. As
part of its investigation, OCR has provided Caremark with guidance to comply with the
Privacy Rule. Specifically, Caremark has taken the following steps toward coming into
compliance with the Privacy Rule: 

1. Conducted a risk assessment with respect to your PHI, pursuant to the Breach
Notification Rule.

 

 

 

{bitEii AblETltCi

 

 

Page 2 -

 

2. Took steps to mitigate the harm associated with ,th 
reclaiming the medications sent to both you and 
destruction.

3. Retrained the responsible employee and department on Caremark's shipping
policies and procedures to ensure a similar incident does not recur in the future;
more specifically, staff members were reminded that if a ship order comes off a
box, the ship order should be brought to a pharmacist so that the medication
contents can be reviewed. . 

for

 

 

 

For your informational purposes, OCR has enclosed material regarding the Privacy Rule
provisions related to safeguarding PHI. -

Based on the foregoing, OCR is closing this case without further action, effective the
date of this letter.

Under the Freedom of Information Act, we may be required to release this letter and
other information about this case upon request by the public. in the event OCR receives
such a request, we will make every effort, as permitted by law, to protect information
that identifies individuals or that, if released, could constitute a clearly unwarranted
invasion of personal privacy.

if you have any questions regarding this matter. please contact Simone Peart,
investigator, at (212) 264-3375 (Voice) or (212) 254-2355 (TDD).

Sincerely,

 

Ends. 0. Colon
Regional Manager

 

 

DEPARTMENT OF HEALTH 8:  SERWCES OFFICE OF THE SECRETARY

 

 

 

 

Voice - (212) 264-3313. (80033631019 Of?ce for Civil Rights, Region II
TDD - {212] 254?2355 Jacob avits Federal Building
- (212) zoo-3039 26 Federal Plaza, Suite 3312
@vfocri New York, NY 16278
I
I Privacy Specialist  2 7 3
CVS Caremark 

9501 E. Shea 
Scottsdale. AZ 35260

Re: 0012 Transaction Number: 13452550

tbii?lti-?itTitCi

 

 

 

Dear

 

On November 30. 2012. the US. Department of Health and Human Services (HHS).
Office for Civil Rights (OCR), received a complaint alleging that Caremark Specia?y
Pharmacy (Caremark), the covered entity, has violated the Federal Standards for
Privacy of Individually Identifiable Health information andfor the Security Standards for
the Protection of Electronic Protected Heatth Information (45 C.F.R. Parts 160 and 164,
Subarts A, C, and E, the Privacy and Security Rules). Speci?cally, the complainant,

alieges that Caremark imper .?ris protected health
information (PHI) to an unintended third-party, tb-t?iitbimict when it mailed h's
- rescri tion medications to her address. The complainant further alleges that  .b

Wgranddaughter?s PHI was impermissibly disctosed to him when he received the
granddaughter's medication in the mail. This atlegation could reflect a viciation of 45
C.F.R. and 

 

 

 

 

 

 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal
civil rights laws which prohibit discrimination in the delivery of health and human
services because of race, color, national origin, disability, age, and under certain
circumstances, sex and reiigion.

Please be advised, a covered entity may not use or disclose an individual?s PHI without
an authorization unless permitted or required by the Privacy Ruie. Please be further
advised, that a covered entity must implement reasonable physical, technical, and
administrative safeguards in order to protect PHI from impermissible uses and
disclosures. -

OCR is pleased that, in response to our investigation, Caremark has taken the following
steps toward coming into compliance with the Privacy Rule:

1. Conducted a risk assessment with respect to the complainant?s PHI, pursuant to
the Breach Notification Rule.

 

 

 

page 2 I

 

 

2. Took steps to mitigate the harm associated with the disclosure. such as
=nr - the medications sent to both the complainant and 

  

 

 

 

entertainer ordestruction?
3. Retrained the responsible employee and department on Caremark?s shipping
policies and procedures to ensure a similar incident does not recur in the future;
more Speci?cally, staff members were reminded that if a ship order comes off a
box, the ship order should be brought to a pharmacist so that the medication
contents can be reviewed.

   

OCR has determined that the following corrective actions are needed to bring Caremark
into compliance with the Privacy Rule:

1- OCR has determined that the disclosure of the complainant?s PHI constitutes a
breach, as the mailing of incorrect medication had a strong likelihood of resulting
in a physical harm to the patient. As such, Caremark will comply with the
requirements ofthe Breach Notification Rule, including but limited to, filing a
breach report with the Secretary of HHS and notifying the complainant of the

 

 

 

 

 

 

 

 

breach.

2. Document the disclosure Igranddaughter?s 
PHI in her accounting of 

3.. on uct a risk assessment with regards to HI, to determine
whether the disclosure of her PHI resulted in a breach.

4. If Caremark determines that the disclosure of PHI resulted in a

breach, Caremark will comply with the requirements of the Breach Noti?cation
Rule. includin but limited to, ?ling a breach report with the Secretary of HHS and
notifying of the breach.

 

Please note that, after a period of six months has passed, OCR may initiate and
conduct a compliance review of Oaremark related to your compliance with the Privacy
Rule.

Based on the foregoing, OCR is closing this case without further action, effective the
date of this letter. determination as stated in this letter applies only to the
allegations in this complaint that were reviewed by OCR.

Under the Freedom of Information Act. we may be required to release this letter and
other information about this case upon request by the public. In the event OCR receives
such a request, we wiil make every effort, as permitted by law. to protect information
that identifies individuals or that, if released, could constitute a clearly unwarranted
invasion of personal privacy. 

 

 

 

page 3 I

 

If you have any questions regarding this matter. piease contact Simone Pearl,
Invesiigator, at (212) 284-33?5 (Voice) or (212) 264-2355 (TDD).

Sincergly,

I ?1 

C. Col?n
Regional Manager