+h a?um'deo b5 1 DEPARTMENT OF HEALTH 3: WAN SERVICES OFFICE OF THE SECRETARY Voice - (21321543313, {soc} ass?1mg Of?ce to:- Civil Rights, Region TDD (and) 537-?39? Jacob Javits Federal Building 26 Federal Plaza, Suite 3312 New York, NY 10218 {212] ass-sass camou?aged! {Bli?i {bitiltcl JUL 0 8 2013 Our Reference number: {bli?lttliilt'i?rl Dear On March 25, 2013, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received your complaint alleging that CVS Pharmacy located on 200 West End Avenue of New York, New York (the covered entity) is in violation of the Federal Standards for Privacy of individually Identi?able Health Information andl'or the Security Standards for the Protection of Electronic Protected Health information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Specifically, the complaint alleges that the covered entity delivered your husband?s medication to your residence without a privacy bag; thus, disclosing your husband protected health information (PHI) to unauthorized individuals. OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin. disability, age. and under certain circumstances, sex and religion. - - Please be advised that the Privacy Rule requires covered entities to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of individuals' protected health information (PHI) and limit access to PHI to those in the workforce that need access based on their roles in the covered entity. After review of your correspondence and conversation with you on June 20131 OCR spoke with the covered entity's representative on Juty 8, 2013 and provided technical assistance regarding safeguarding PHI. OCR advised the covered entity of its responsibility under the Security and Privacy Rules regarding safeguarding patient information. The covered entity assured OCR that it has safeguards in place and informed OCR that the covered entity retrained the staff member who delivered the medication without a privacy bag on its safeguards policy. Additionally, under the .covered entity's obligations under the Breach Noti?cation Rule, it conducted a risk assessment and accounted the disclosures in its records. Based upon this response, we have determined that no further OCR action is warranted. and therefore, we are Page 2 closing this matter. This determination applies only to the allegations in this compiaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR reoeives such a request, we will make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter. please contact Jenny Im, Investigator, at 212-264-4997. Thank you for bringing this matter to our attention. Regional Manager Office for Civil Rights