?"W'ag DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY

p?
Voices (215} 351-4441 Of?ce for Civil Rights, Region 
a TDD (215} 861-4440 150 S. Independence Mall West

Rm FAX (215) 851-4431 Public Ledger Building, Suite 3?2
Philadelphia, PA 19106-3499
Reference: 1?4211
Investigator: Amy Kapian

Contact Telephone: 21 5-86 1-4446

August 1, 2014

 

{bli?liblmicl

 

 

 

Dear {bli?libl?iici

On January 12, 2014, the US. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR) received your complaint alleging a violation of the Federal Standards for
Privacy of Individually Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A
and E, the Privacy Rule). Speci?cally, you allege that while at the CVS Pharmacy in
Woodbridge, VA, a pharmacy staff member called out your daughter?s name, prescription
information and the insurance provider within earshot of other patients.

OCR enforces the Privacy Rule, and also enforces Federal civil rights laws which prohibit
discrimination in the delivery of health and human services because of race, color, national
origin, disability, age, and under certain circumstances, sex and religion.

As a result of the allegations in this complaint, OCR has decided to provide technical assistance
with regard to safeguards of protected health information. Under the Privacy Rule, covered
entities are required to have in place appropriate administrative, technical and physical
safeguards to protect the privacy of protected health information (PHI). [45 C.F.R. 
and However, the Privacy Rule does not specify how a covered entity
must safeguard information. It is expected that a covered entity will purposefully make explicit
decisions about who has access to information and how that information will be used. The Rule
expects that covered entities will implement reasonable safeguards that are ?exible and adaptable
to their speci?c business environment. The form of safeguards will vary depending on the size
and nature of the business. A covered entity needs to analyze and assess its own needs and
potential risks to patient privacy.

Our intervention at this time is intended to be instructional for the covered entity. If in the
future, the practice fails or refuses to take reasonable steps to address this concern after we have
provided technical assistance, we may need to contact you again in connection with a formal
investigation. It has been our experience, however, that health care providers are generally
responsive to privacy concerns raised in this context.

Under the Freedom of Information Act, we may be required to release this letter and other
infannation about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identifies individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

Thank you for bringing this matter to our attention. If you should have any questions, please do
not hesitate to contact Ms. Amy Kaplan of my staff at (215)861-4446.

Sincerely,

?w . Mai/M It

Barbara J. Holland
Regional Manager