i DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY voice. {404] 552-7886 taco) 353-1019 Of?ce for Civil Rights, Region ?a TDD- MUM 552?7334. {300) 5373597 61 Street, 5, W. {will 5523351 Atlanta Federal Center, Suite ??p'im Atlanta, GA scans?sane May 20, 2011 I CVS-Caremark One CVS Drive Woonsocket, RI 02895 RE: lv. CVS Pharmacy Reference No: 1?123020 Dear and On January 19, 2011, the Departtr ent of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint from {bumbling lalleging non-compliance with the Federal Standards for Privacy of Individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health 45 CPR. Parts 160 and 164, Subparts A, C, and E, the ?Privacy and Security Rules"). alleged that her protected health information was impermissiny disclosed in a phone message left with a relative. These allegations could potentially re?ect a violation of the Privacy Rule. See 45 CPR. 164.503 and OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws that prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and, under certain circumstances, sex and religion. The Privacy Rule states that a covered entity may not use or disclose protected health information except as permitted or required by the Privacy Rule. See 45 The Privacy Rule also mandates that a covered entity must have in place appropriate administrative, technical and physical safeguards to protect the privacy of protected health information. See 45 C.F.R. Unless speci?cally permitted by the Privacy Rule, a covered entity may not release an individual?s protected health information without an appropriate authorization. 45 C.F.R. 164.508. On Auust 25. 2010, OCR notified CVS Pharmacy (hereinafter of the privacy complaint ?led by and requested certain documents and information related to the facts alleged. On March 23, 201 l, CVS provided a detailed response to the allegations along with its HIPAA training materials, provisions of its personnel manual, its con?dentiality policies, and various other policies related to this matter. From our review of the relevant documents and allegations, it appears thathas not at home when CVS called to advise her that her medication was not ready. She says that specific name of the medication was left with her son, and that it was of a nature that might convey a health condition, and that she wanted to avoid sharing her health conditions with him. CVS denied its employee disclosed the name of the medication, but stated that her medication would not be ready until the following day. The Privacy Rule de?nes ?protected health information? (PHI) broadly, and would include either of the circumstances described by the parties. Generally, CVS would not have been authorized to disclose a patient?s PHI to an individual not involved with their care. After reviewing the circumstances of this case, CVS implemented a new policy relating to leaving messages for its customers. Under the new policy, customers are simply requested to call the pharmacy when messages are left. Prescription information is prohibited from being left in a message or even the fact that a prescription has been ordered. This policy applies whether the message is left with a person who answers the phone call, or left on an answering machine. The staff involved with this incident was trained on the new policy, which will be implemented nationwide. Accordingly, it appears that the matters raised by this complaint at the time it was ?led have now been resolved through the voluntary compliance action of CVS. Therefore OCR is closing this case determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. OCR only reviewed the evidence of record pertinent to resolving the isSues raised by you in the aforementioned complaint. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identifies individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Elliott Schwan at (404) 562-2790 (Voice), (404)562-7881 (TDD). Sincere] Roosevelt Freeman Regional Manager