Company responses to ProPublica
CVS Health Statement
We fully investigated Mr. Fenity’s complaint that his private information was
inappropriately shared by a colleague in our San Antonio call center last year. We
determined that although no information about Mr. Fenity’s health condition or any
specific medications he was taking was shared, the employee who engaged in that
behavior was fired. Employees who work in this call center are obligated by the
terms of their employment to maintain the confidentiality of any patient
information, including that of CVS Health employees, they may have access to as
part of their normal scope of work.
If an employee expresses a concern about speaking to call center representatives
about their pharmacy care, we make every effort to resolve that concern. One
option that may be considered is a single, dedicated representative who would be
the only representative authorized to access their prescription account. In fact,
following Mr. Fenity’s incident, this option was offered to him and he accepted.
CVS Health is strongly committed to protecting the privacy of our patients’ health
information. We have established rigorous privacy policies and procedures
throughout the Company to safeguard patient information. We also continue to
invest in technologies to provide comprehensive safeguards for customer and
patient information.
Protecting private information and the confidentiality of those we serve are
conditions of employment at CVS Health. All 200,000 of our employees working in
our pharmacies, retail medical clinics, call centers and other facilities around the
country are required to complete formal training on compliance with our privacy
policies and procedures when they are hired, and annually thereafter. In addition,
job-specific training on privacy practices occurs on a regular basis.
We are never complacent about privacy matters and we constantly strive to address
and reduce disclosure incidents by enhancing our training and safeguards. For
example, in response to concerns about conversations at the pharmacy counter
potentially being overheard, we extended the space between patients waiting in line
and the patient being served at the pharmacy counter. We also implemented an
educational campaign across all our retail pharmacies that included, among other
things, posting reminders and warnings to pharmacists to lower their voices when
discussing patient information.
Whenever we discover that our privacy policies or procedures have not been
properly followed, we take corrective action such as retraining the employees
involved. Those who intentionally violate our privacy requirements and safeguards
are subject to the termination of their employment. This would include the viewing
of an individual’s prescription records without a legitimate business need to do so.
CVS Health’s Privacy Policy is posted on our website and we regularly report on
updates to our privacy practices in our annual Corporate Social Responsibility
report, which is available here.

 --Mike DeAngelis, spokesman
Walgreen Co. Statement
Walgreens takes the privacy and security of our customers’ information very
seriously. Walgreens thoroughly investigates any concern about privacy regardless
of how it is brought to our attention and will voluntarily improve practices if
necessary. We appreciate the feedback and expertise that the Office for Civil Rights
provides and work with OCR to ensure that our customers are protected.
--Jim Graham, spokesman
Kaiser Permanente Statement
We do report information regarding these kinds of incidents to OCR and statewide to
CDPH. We can’t speculate how this information is recorded or reported by the state,
but we can tell you that we comply with all federal and state reporting
requirements. We fully cooperate with OCR, in compliance with HIPAA, and with
CDPH, in compliance with the 2008 California law requiring the reporting of certain
security incidents to CDPH. Our goal is to be fully responsive to any requests made
by OCR and the state.
Overall, we are committed to protecting the confidentiality of our members’ and
patients’ information. There is not one simple solution, as you know, so we are
continually working to improve our protections in multiple ways:
•
We work to foster a culture of compliance that protects information, including
that of members, patients, employees, physicians, and other information
confidential to our business. Specifically around member and patient information
protection, we conduct education, training and awareness programs that are
required for our employees and physicians, so they understand the imperative of
following the law, and the potential impact that failing to do so can have on
patients, and on their employment.
•
We continually assess and enhance our technology, to use it to help protect
access to confidential information.
•
We are regularly improving our processes by controlling and managing access
to confidential information, instituting privacy and security policies, and reviewing
our compliance with federal and state laws, including HIPAA.
--Vanessa Benavides, Kaiser Permanente chief compliance and privacy officer.