?wilt.

dime

OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY

 

Voice- {215) act-4441 Office for Civil Rights, Region 

TDD - {215) 361-4440 150 5. Independence Hall West
FAX {215) 861-4431 Public Ledger Building, Suite 372
Philadelphia, Pa 191o6-a499
Reference: 1?3355
Investigator: Elizabeth Benson

Contact Telephone: 215-361-4427

February 11, 2014

 

 

{bliF?ilibliiliCl

 

 

Deal. {bii?li?liilici

On January 6, 2014, the US. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), received your complaint alleging CVS Pharmacy (1334 Crain Highway,
Bowie, MD), the covered entity, has violated the Federal Standards for Privacy of Individually
Identi?able Health Information earlier the Security Standards for the Protection of Elect-emu:
Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy
and Security Rules). You allege that on December 15, 2013, an employee impermissiny
disclosed your protected health information. Speci?cally you allege ?rst the employee was
unable to locate your prescription and questioned you about the prescription in the middle of the
pharmacy. You timber allege that the employee yelled out the name of the medication as well as
your insurance coverage information. This allegation could re?ect a violation of 45 C.F.R. 
ld4.502(a) and 

Thank you for bringing this matter to attention. Your complaint is an integral part of
OCR's cn?arcemcnt efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

The Privacy Rule permits certain incidental uses and disclosures of protected health information
(PHI) that occur as a by-product of another permissible or required use or disclosure of as
long as the covered entity has applied reasonable safeguards and implemented the minimum
necessary standard, where applicable, with respect to the primary use or disclosure. See 45
C.F.R. For example, the Privacy Rule permits covered health care providers
to share PHI for treatment purposes without patient authorization as long as they use reasonable
safeguards when doing so. These safeguards may wry depending on the mode of
communication used. For example, when discussing patient health information orally with
another provider in proximity of others, a doctor may be able to reasonably safeguard the
in?irmation by lowering h'mfher voice.

 

 

 

We have carefully reviewed your complaint against CVS - Crain Highway and have determined
to resolve this matter informally through the provision of technical assistance to CVS. Should
OCR receive a similar allegation of noncompliance against CV - Crain Highway in the future,
OCR may initiate a ?orrnal investigation of that matter. or your inibrmational purposes, OCR
has enclosed material regarding the Privacy Rule provisions related to Safeguards.

Based on the toregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
in?onnation about this case upon request by the public. In the event OCR receives such a
request, we will make every ef?ort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any quwtions regarding this matter, please contact Elizabeth Benson, Investigator, at 215-
861-4427 (Voice), 215-861-4440 (TTY). .

Sincerely,

?MdL/t? K.

Barbara J. Ho
Regional Manager

Enclosurei Reasonable Safeguards

 

 

 

 

?War
DEPARTMENT OF HEALTH HUlesN SERVICES OFFICE OF THE SECRETARY
1., Voice- (215] 861?4441 Office for Civil Rights, Region 
a, TDD - (215] 861-4440 1.50 5. Independence Hall West
FAX - {215] 861-4431 Public Ledger Building, Suite 3?2
was 1: Philadelphia, PA 19105?3499

Reference: 173355

Investigator: Elizabeth Benson

Contact Telephone: 215-861-442?

February 2014

P?my Advisor

CV Carelnark

PO Box 52072

Phoenix, AZ 85072-2072

pm {broom

On January 6, 2014, the us. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), received a complaint alleging that the CV Pharmacy (1334 Grain Highway,
Bowie, MD), the covered entity, has violated the Federal Standards for Privacy of Inditddually
Identi?able Health Infomiation andlor the Secmity Standards for the Protection of Electronic
Protected Health Information (45 can. Parts 160 and 164, Subparts A, C, and E, the Privacy
and Security Rules). The complainant, (senators) alleges that on December 15, 2013, an
enmloyee impermissibly disclosed her protected health information. Speci?cally, the
complainant alleges that the pharmacy employee was unable to locate her - -u ion and
questioned her about the prescription in the middle of the pharmacy. father
alleges that the employee yelled out the name of the medication as we as or mstn'ance
coverage information. This allegation could re?ect a violation of 45 CPR. 164.502 and


OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

The Privacy Rule permits certain incidental uses and disclosures of protected health information
(PHI) that occur as a by-produet of another permissible or required use or disclosme of as
long as the covered entity has applied reasonable safeguards and implemented the minimum
necessary standard, where applicable, with respect to the primary use or disclosure. Sec 45
C.F.R. For example, the Privacy Rule permits covered health care providers
to share PHI for heannent purposes without patient authorization as long as they use reasonable
safeguards when doing so. These safeguards may vary depending on the mode of
communication used. For example, when discussing patient health hilinrmation orally with
another provider in proximity of others, a doctor may be able to reasonably safeguard the
by lowering hisiher voice.

 

 

 

 

In this matter, the complainant alleges the incidental use or disclosure of PHI was not
permissiblebecausereasonable safeguards were not inplace to prevent theuseor disclosure.

Pursuant to its authority under 45 CPR 160.304(a) and OCR has determined to resolve
this matter informally through the provision of technical assistance to CVS. To that end, OCR
has enclosed material explaining the Privacy Rule provisions related to Reasonable Safeguards.

You are encouraged to review these materials closely and to share them with yuur staff as part of
the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your
workforce. You are also encouraged to assess and determine whether there may have been any
noncompliance as alleged by the complainant in this matter, and, if so, to take the steps
necessary to ensure such noncompliance does not occur in the titan-e. In addition, OCR
encourages you to review the facts of this individual?s complaint and provide the individual the
appropriate written response swiftly if necessary to comply with the requirements of the Privacy
Rule. Should OCR receive a similar allegation of noncompliance against CVS Highway
in the future, OCR may initiate a formal investigation of that matter. In addition, please note
that, alter a period of six months has passed, OCR may initiate and conduct a compliance review
of CVS related to your compliance with the Privacy Rule?s provisions related to Incidental Uses
and Disclosures, Reasonable Safeguards, and the Minimum Necessary requirement.

Based on the foregoing, OCR is closing this case without ?nther action, e??ective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required in release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding this matter, please contact Elizabeth Benson, Investigator, at 215-
861-4427 (Voice), 215-361-4440 (rm.

Sincerely,

Barbara J. Holland
Regional Manager

Enclosure:_ Incidental Uses and Disclosures
Reasonable Safeguards