RVJCES.
is 9.:

 

ft?LIll-TH g.
*0


DEPARTMENT OF HEALTH 8; HUMAN SERVICES OFFICE OF THE SECRETARY

 

Voiw - (212) 264-3313. (300) 368-1019 Of?ce for Civil Rights, Region II
i?irmmz TDD - (212} 264-2355, (800) 537-769? Jacob avits Federal Building
(FAX) - (212) 264-3039 26 Federal Plaza, Suite 3312
New York, NY 10278


 

 

 

Our Reference Number: 14-177412

 


Dear (C)

 

 

 

On February 27, 2014. the U.S. Department of Health and Human Services (HHS).
Office for Civil Rights (OCR). received your complaint alleging that CVS Caremark (the
covered entity) has violated the Federal Standards for Privacy of Individually Identi?able
Health Information (45 C.F.R. Parts 160 and 164. Subparts A and E. the Privacy Rule).
Specifically. you allege that you received a telephone call from I
who advised you that when she logged into her on-line CV3 account she was able to

view your protected health information. However. you stated that ou are not certain
whether it was your information or your roommates I?lbli?l ?Ci information

that was mixed withprotected health information. The complainant also
allees that the severe entity mailed prescription to her house. instead
of home. You also al - that the covered entity mailed'ib? if i
prescription to your house. instead of home. These alleg'a ions cou
re?ect a violation of 45 C.F.R. 164.502ia) and 164.530ic).

 

 

 

Thank you for bringing this matter to OCR's attention. Your complaint is an integral part
of enforcement efforts.

OCR enforces the Privacy. Security, and Breach Noti?cation Rules. and also Federal
civil rights laws which prohibit discrimination in the delivery of health and human
services because of race. color. national origin. disability. age. and under certain
circumstances. sex and religion.

The Privacy Rule allows health care providers and health plans to share protected
health information (PHI) for permitted purposes using the mail or fax. as long as they
use reasonable and appropriate administrative. technical. and physical safeguards to
protect the privacy of the PHI. See 45 C.F.R- These safeguards may
vary depending on the mode of communication used. For example. when faxing PHI to
a telephone number that is not used regularly. a reasonable safeguard may involve a
covered entity ?rst con?rming the fax number with the intended recipient of the fax.

We are pleased to inform you that your complaint in this matter has been resolved.
Specifically. the covered entity has taken the following corrective actions to comply with
the Privacy and Breach Noti?cation Rules:

 

 

 

Page 2 
1.

2.

 

I

The disclosure was documented in yours, Wand
medical records for accounting purposes

The covered entity forwarded to you and letters regarding the
incident and requested that you complete and return the attached
acknowledgement form.

The covered entity submitted an error report against the staff member that
caused the error, which satis?es the sanctions requirement under the Privacy
Rule.

The covered entity is reviewing its procedures to determine whether changes
may be needed regarding members identi?cation numbers.

OCR has determined that the following corrective actions are needed to bring the
covered entity into compliance with the Privacy Rule:

1.

Determine whether the covered entity is required to make noti?cations pursuant
to 45 C.F.R. 164.404-164.403, to the complainant and to HHS using the
online breach reporting tool found at In making
this determination, please be advised that the impermissible use or disclosure of
unsecured PHI is presumed to be a breach unless the CE or business associate
demonstrates a low probability that the PHI has been compromised or an
exception applies. Following an impermissible use or disclosure of PHI, 
may conduct a risk assessment which considers: 1) the nature and extent of the
PHI involved, including the types of identi?ers and the likelihood of re-
identification: 2) the unauthorized person who used the PHI or to whom the
disclosure was made; 3) whether the PHI was actually acquired or viewed; and
4) the extent to which the risk to the PHI has been mitigated.

Based on the foregoing, OCR is closing this case without further action, effective the
date of this letter.

Under the Freedom of Information Act, we may be required to release this letter and
other information about this case upon request by the public. In the event OCR receives
such a request, we will make every effort, as permitted by law, to protect information
that identifies individuals or that, if released. could constitute a clearly unwarranted
invasion of personal privacy.

if you have any questions regarding this matter, please contact Kelli Robinson,
Investigator, at 212-264-3314.

Sincerely,
Linda Colon

Regional Manager
Of?ce for Civil Rights

 

 

1L



c? 6? lira.

2
a,
?if! mo

SERVICE: 

11:.
OFFICE OF THE SECRETARY
Of?ce for Civil Rights, Region 1]
Jacob Javits Federal Building
26 Federal Plaza, Suite 3312

New York, NY 10278

DEPARTMENT OF HEALTH 8: HUMAN SERVICES

Voice - {212} 264-3313, (800} 353-1019
TDD - {212} 264-2355, (300} 537-7697
- {212} 264-3039

gm?gqt

 



HIPAA Privacy Officer
CVS Caremark

9501 E. Shea Blvd.
Scottsdale, AZ 85260


AUG 2 5 2011

Our Reference Number: 14-177412

Dear 

On February 27, 2014, the US. Department of Health and Human Services (HHS), Office for
Civil Rights (OCR), received a complaint alleging that CVS Caremark at 180 Passaic Avenue.

. Fair?eld, NJ (the covered entity) has violated the Federal Standards for Privacy of Individually

Identifiable Health

.R. Parts 160 and 164, Subparts A and E, the Pb?
Rule). Speci?cally,

WE .

alleges that she received a telephone call from
who advrsed her that when she intgi her on-Iine CV8 account she was
able to view either the complainant's or ?l I who resides at the same address
as the complainant. protected health information. The complainant alleges the 
whether it was her information orintormation that was mixed with
- - a - ealth information. The complainant 

prescription to her house. instead 0 1?
re?ect a violation 0f 45 C.F.R.  164.5026!) and 13453003).

 

 

 

 

I - I
the covered entity mailed
home. These allegations could

 
    

 

   
  

        
    

.-

1I: I
I

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

In this matter, the complainant alleges that PHI was impermissiny disclosed either through the
mail or by fax. Generally, the Privacy Rule permits a covered entity to make disclosures of
protected health information (PHI) for a permitted purpose, through a variety of means, such as
by mail or facsimile machine. as long as the covered entity, when doing so, uses reasonable
and appropriate administrative, technical, and physical safeguards to protect the privacy of the
PHI. See 45 C.F.R. These safeguards may vary depending on the mode of
communication used. For example, when faxing PHI to a telephone number that is not used
regularly, a reasonable safeguard may involve a covered entity first confirming the fax number
with the intended recipient of the fax.

OCR is pleased that, in response to our investigation, the covered entity has taken the following
steps toward coming into compliance with the Privacy and Breach Noti?cation Rules:

 

1. The disclosure was documented in 

 and ibis).thth
records for accounting purposes_

 medical

 

 

 

b6,bTC
Page2_{l{l{l{l{l

 

 

 

 



2. The covered entity forwarded and letters regarding the incident
and requested that they complete and returnt attac acknowledgement form.

3. The covered entity submitted an error report against the staff member that caused the
error, which satisfies the sanctions requirement under the Privacy Rule.

4. The covered entity is reviewing its procedures to determine whether changes may be
needed regarding members identi?cation numbers.

 

OCR has determined that the following corrective actions are needed to bring the covered entity
into compliance with the Privacy Rule:

1. Determine whether the covered entity is required to make noti?cations pursuant to 45
C.F.R. 164404464408, to the complainant and to HHS using the online breach
reporting tool found at In making this determination,
please be advised that the impermissible use or disclosure of unsecured is
presumed to be a breach unless the CE or business associate demonstrates a low
probability that the PHI has been compromised or an exception applies. Following an
impermissible use or disclosure of PHI, CE's may conduct a risk assessment which
considers: 1) the nature and extent of the PHI involved, including the types of identifiers
and the likelihood of re-identification: 2) the unauthorized person who used the PHI or to
whom the disclosure was made; 3) whether the PHI was actually acquired or viewed; and
4) the extent to which the risk to the PHI has been mitigated.

Please note that, after a period of six months has passed, OCR may initiate and conduct a
compliance review of the covered entity related to your compliance with safeguarding protected
health information.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. OCR's determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identifies
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
pnvacy.

If you have any questions regarding this matter, please contact Kelli Robinson, Investigator, at

212-264-3314.
Sincerely, 
Linda Colon

Regional Manager
Office for Civil Rights