i In" 

?it

?mml?.

DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY

 

Voice? (215) 861-4441 Office for Civil Rights, Region 
TDD (215) 861-4440 150 5. Independence Mail West
FAX (215) 361-4431 Public Ledger Building, Suite 3?2

Philadelphia, PA 19106-3499

Reference:
Investigator:
Contact Telephone:

14-176385
Ralph Balsamo
215-861-4444

October 28, 20] 4

 

 

(blt?ltbliflici

 

 

On February 4, 2014, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights
(OCR), received your complaint alleging that CVS Pharmacy, the covered entity, has violated the Federal
Standards for Privacy of Individually Identifiable Health Information and/or the Security Standards for
the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C,
and E, the Privacy and Security Rules). Speci?cally, you allege that, on February 2, 2014, while you
were at the covered entity, a pharmacist named Cory spelled your name incorrectly. Your complaint
indicates that you offered to show identi?cation to verify the spelling of your name. However, you allege
that Cory printed the screen he was looking at, and showed you another individual?s protected health
information. You further allege that Cory then left the paperwork in plain view, for everyone else to see,
and you had to ask Cory to retrieve the paperwork, so that it would not be impermissiny disclosed to
other individuals. This allegation could re?ect a violation of45 C.F.R. 

Thank you for bringing this matter to attention. Your complaint is an integral part of 
enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights laws
which prohibit discrimination in the delivery of health and human services because of race, color, national
origin, disability, age, and under certain circumstances, sex and religion.

A covered entity must maintain reasonable and appropriate administrative, technical, and physical
safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the Privacy Rule
and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure.
45 C.F.R. For example, such safeguards might include shredding documents containing
protected health information before discarding them, securing medical records with lock and key or pass
code, and limiting access to keys or pass codes.

We have carefully reviewed your complaint against CVS Pharmacy and have determined to resolve this
matter informally through the provision of technical assistance to CVS Pharmacy. Should OCR receive a
similar allegation of noncompliance against CVS Pharmacy in the future, OCR may initiate a formal
investigation of that matter.

For your informational purposes, OCR has enclosed material regarding the Privacy Rule provisions
related to Safeguards.

Based on the foregoing, OCR is closing this case without further action, effective the date of this letter.
determination as stated in this letter applies only to the allegations in this complaint that were
reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other information
about this case upon request by the public. In the event OCR receives such a request, we will make every
effort, as permitted by law, to protect information that identi?es individuals or that, if released, could
constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Ralph Balsamo, Investigator, at 215-861-
4444 (Voice), 215-361-4440 (TTY).

Sincerely,

5W 

Barbara J. Holland
Regional Manager

Enclosure: Reasonable Safeguards