a ?nun. DEPARTBIENT OF HEALTH 8: HUMAN SERVICES 0m 0? the 5mm! Voice - 565-1340. (soc) 368-1019 TDD - (err) 555-1343, (sec) 537.7697 Fax - (517) see-secs Of?ce for Civil Rights, Region I Government Center J.F. Kennedy Federat Building. .hh . Dvl' Room 1375 I 6 Boston. MA02203-0002 {bll?liblliltcl I Privacy Of?cer CVS Caremark CVS Drive Woonsocket, RI 02895-6146 Our Reference number: 01-13-154331 Dear {bits}, audiblt?libltiltm l: On January 24, 2013, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint alleging that CVS is in violation of the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, the complainant alleges that CVS imperrnissibly disclosed her protected health information (PHI) to her insurance company even though she stated she wanted to pay for the prescription out of pocket. This allegation could reflect violations of 45 C.F.R. 164.502(a) and OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. On March 26, 213, OCR noti?ed CVS of the complaint. On April 29, 2013, CVS reaponded to the complaint allegations and provided supporting documentation. During its investigation OCR learned the following: the complainant had previously provided her insurance information to process prescriptions and this had become a part of her record with The process for submitting a prescription online is automated and there is not an agent who reviews the prescription prior to processing it through the patients insurance. The online system processes the prescription through an automated system and billed to the patients insurance to provide them at the most affordable cost. If the insurance information had been provided by the patient in previous prescription requests it is recorded as part of their pro?le at CVSI'pharmacy. Here, the complainant?s prescription order had no notation not to use her insurance for this particular prescription. Page No.: 2, Transaction No; ill-13454331 As a result of the complaint, the complainant was provided reimbursement and the claim was reversed off of the complainant?s health insurance. In addition, CVS also removed the complainant?s insurance information from her record. CVS is also actively in the process of reviewing its process in order to comply with the requirements under HITECH that requires a covered entity to agree to the patient's request to restrict the disclosures of protected health information to a health plan for the purpose of carrying out payment or health care operations and if the restriction applies to protected health information that pertains solely to a health care item or service for which the health care provider has been paid out of pocket in full. CVS provided OCR with its policy and procedure related to uses and disclosures of PHI, and safeguards, which OCR reviewed and found to be in compliance with the Privacy Rule. All matters raised by this complaint at the time it was ?led have now bew resolved through the voluntary compliance actions of CVS. Therefore, OCR is closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we wiil make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Erin Walker, Investigator, at Erin.Wallter@hhs.gov, (617) 565-1351 (Voice), (617) 565-1343, (800) 537-7697 (TDD). Sincerely, Peter K. Chan Regional Manager