DEPARTMENT OF HEALTH 8r. HUMAN SERVICES OFFICE OF THE SECRETARY

 

Voice? (215) 861-4441 Of?ce for Civil Rights, Region 
TDD (215) 861-4440 150 5. Independence Mall West
FAX - (215) 861-4431 Public Ledger Building, Suite 372
Philadelphia, PA 19106-3499
Reference: 14-171053
Investigator: Ralph Balsamo

Contact Telephone: 215?861-4444
August 18, 2014

 

ibii?iibimlci

 

 

 

 

ibil?iibil?lCi

 

oor ma or, urination Governance Privacy
One CVS Drive
Woonsocket, RI 02895



 

Dear

Dear

 

 

 

The Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint
on November 21, 2013, alleging that CVS Caremark (covered entity) is not in compliance with the Federal
Standards for Privacy of Individually Identi?able Health information the Security Standards for the
Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and B,
the Privacy and Security Rules). Speci?cally, the complainant alleges that the covered entity provided her
mother?s (affected party) protected health information to another person. The complainant?s allegations
could reflect a violation of 45 C.F.R. uses and disclosures and ?164.530 safeguards.

OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws which prohibit
discrimination in the delivery of health and human services because of race, color, national origin, disability,
age, and under certain circumstances, sex and religion.

On April 28, 2014, OCR noti?ed the covered entity of the complaint.

OCR found that the covered entity's employee inadvertently placed the affected party?s prescription in
another individuai?s bag. The employee advised this individual that it was a mistake, but the individual
would not return the prescription to the employee, but rather, the individual chose to keep the prescription.
During the investigation, OCR learned that the covered entity terminated the employee.

45 CPR. 164.530 (1) requires that a covered entity must mitigate to the extent practicable any harmful
effect that is known to the covered entit}r as a result of an impermissible use or disclosure of protected health
information. Therefore, based upon the impermissible disclosure of the affected party?s protected health
information, the covered entity has agreed to provide the affected party with one year of credit monitoring
services.

Additionally, based upon 45 C.F.R. ?164.530 a covered entity must implement policies and procedures
with respect to protected health information that are designed to comply with the standards, implementation
speci?cations, or other requirements of this subpart. The policies and procedures must be reasonably
designed, taking into account the size of and the type of activities that relate to protected health information

undertaken by the covered entity, to ensure such compliance. This standard is not to be construed to permit
or excuse an action that violates any other standard, implementation speci?cation, or other requirement of
this subpart. Therefore, OCR received and reviewed the policies relevant to this complaint.

All matters raised by this complaint at the time it was ?led have now been resolved through the voluntary
compliance actions of CVS Caremark. Therefore, OCR is closing this case.

determination as stated in this letter applies only to the allegations in this complaint that were
reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other information about
this case upon request by the public. In the event OCR receives such a request, we will make every effort, as
permitted by law, to protect information that identi?es individuals or that, if released, could constitute a
clearly unwarranted invasion of personal privacy.

If you have any questions, please contact please contact Ralph Balsamo Investigator, at (215) 861-4444
(Voice), or (215) 861-4440 CITY).

?ncerel