WW
0
a:    
3 Voice (617) 565-1340, {300) 353-1019, Top (617) 555- 1343, 
FAX (617) 565-3809, Of?ce for can Rights, Region 1
JFK Fallen! Blending, Room 1315


2.5 2013 

 



 

 

 

Re: OCR Transaction Number: 13-155656

 



 

 

Dear 

 

On January 11, 2013, the U.S. Department of Health and Human Services
(HHS), Of?ce for Civil Rights (OCR), received your complaint alleging that
Carolina Primary Care, the covered entity, has violated the Federal
Standards for Privacy of Individually Identifiable Health Information (45
C.F.R. Parts 160 and 164). Specifically, you allege that a cashier at the
Winston-Salem CV5 discussed your medical insurance in a loud voice that
allowed other customers in the line and in the waiting area to overhear what
she was saying about your insurance status. This allegation could reflect a
violation of 45 C.F.R. 164.502(a) and 

Thank you for bringing this matter to attention. Your complaint plays
an integral part in OCR's enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also
enforces Federal civil rights laws which prohibit discrimination in the delivery
of health and human services because of race, color, national origin,
disability, age, and under certain circumstances, sex and religion.

The Privacy Rule permits certain incidental uses and disclosures of protected
health information (PHI) that occur as a by-product of another permissible or
required use or disclosure of PHI, as long as the covered entity has applied
reasonable safeguards and implemented the minimum necessary standard,
where applicable, with respect to the primary use or disclosure. See 45
C.F.R. For example, the Privacy Rule permits covered
health care providers to share PHI for treatment purposes without patient
authorization as long as they use reasonable safeguards when doing so.
These safeguards may vary depending on the mode of communication used.
For example, when discussing patient health information orally with another
provider in proximity of others, a doctor may be able to reasonably
safeguard the information by lowering his/her voice.

 

Page 2- 13-155656

We have carefully reviewed your complaint against the Winston-Salem CVS
and have determined to resolve this matter informally through the provision
of technical assistance to CVS. Should OCR receive a similar allegation of
noncompliance against the Winston Salem CVS in the future, OCR may
initiate a formal investigation of that matter.

Based on the foregoing, OCR is closing this case without further action,
effective the date of this letter. OCR's determination as stated in this letter
applies only to the allegations in this complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this
letter and other information about this case upon request by the public. In
the event OCR receives such a request, we will make every effort, as
permitted by law, to protect information that identifies individuals or that, if
released, could constitute a clearly unwarranted invasion of personal
privacy. 

If you have any questions regarding this matter, please contact Vicki
Kaufman, Investigator, at (617) 565-1344 (Voice) or (617) 565-1343 (TDD).

Sincerely,

MWL

Peter K. Chan
Regional Manager

 

 

Voice (617') 565-1340, (300} 368-1019, TDD 565- 1343, (800) 53?-769?
FAX (617) 565-3309, We: for Chi Rith, Region I
JFK Federal Building. Room 1815

AUG 2 .5 2013 Government Center

Boston, MA 02103-0002

?it. 

DEPARTMENT OF HEALTH 3.: HUMAN SERVICES OFFICE OF THE 
I

In

 

{bll?llbl?llcl

Coordinator Privacy Investigations
CVS Caremark

One CVS Drive

Woonsocket, RI 02895

 

 

Re: OCRTransaction Number: 01-13-155656

Dear {momma}

On January 11, 2013, the U.S. Department of Health and Human Services
(HHS), Of?ce for Civil Rights (OCR), received a complaint alleging that the
CVS Caremark (CV5), the covered entity, has violated the Federal Standards
for Privacy of Individually Identi?able Health Information (45 C.F.R. Parts
160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, the
complainant alleges that, on December 22, 2012, her protected health
information (PHI) was disclosed when a staff person at the CVS at 855
Hanes Mall Boulevard, Winston Salem, NC discussed the complainant's
health insurance coverage in a manner that could be heard by other
customers in the line behind her and in the waiting area. This allegation
could re?ect a violation of 45 C.F.R. 164.502(a) and 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also
enforces Federal civil rights laws which prohibit discrimination in the delivery
of health and human services because of race, color, national origin,
disability, age, and under certain circumstances, sex and religion.

The Privacy Rule permits certain incidental uses and disclosures of protected
health information (PHI) that occur as a by-product of another permissible or
required use or disclosure of PHI, as long as the covered entity has applied
reasonable safeguards and implemented the minimum necessary standard,
where applicable, with respect to the primary use or disclosure. See 45
C.F.R. For example, the Privacy Rule permits covered
health care providers to share PHI for treatment purposes without patient
authorization as long as they use reasonable safeguards when doing so.
These safeguards may vary depending on the mode of communication used.
For example, when discussing patient health informatlon orally with another
provider in proximity of others, a doctor may be able to reasonably
safeguard the information by lowering his/ her voice.

 

In this matter, the complainant alleges the incidental use or disclosure of
PHI was not permissible, either because reasonable safeguards were not in
place to prevent the use or disclosure and/or because the minimum
necessary standard was not implemented when it should have been.
Pursuant to its authority under 45 C.F.R. 160.304(a) and OCR has
determined to resolve this matter informally through the provision of
technical assistance to CVS. To that end, OCR has enclosed material
explaining the Privacy Rule provisions related to Incidental Uses and
Disclosures, Reasonable Safeguards, and the Minimum Necessary
requirement.

You are encouraged to review these materials closely and to share them with
your staff at the CVS in Winston Salem, NC as part of the Health Insurance
Portability and Accountability Act (HIPAA) training you provide to your
workforce. You are also encoumged to assess and determine whether there
may have been an incident of noncompliance as alleged by the complainant
in this matter, and, if so, to take the steps necessary to ensure such
noncompliance does not occur in the future. Please contact OCR if you need
further information regarding the allegations in this matter. Should OCR
receive a similar allegation of noncompliance against CVS at 355 Hanes
Boulevard, Winston Salem, NC, OCR may initiate a formal Investigation of
that matter.

Based on the foregoing, OCR is closing this case without further action,
effective the date of this letter. determination as stated in this letter
applies only to the allegations in this complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this
letter and other information about this case upon request by the public. In
the event OCR receives such a request, we will make every effort, as
permitted by law, to protect information that identifies individuals or that, if
released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding this matter, please contact Vicki
Kaufman, Investigator, at 565-1344 (Voice) or (617) 565-1343 (TDD).

Sincerely/m
Peter Chan Q1
Regional Manager

Enclosures: Incidental Disclosures
Reasonable Safeguards
Minimum Necessary