EPARTMENT OF HEALTHE: HUMAN SERVICE OFFICE OF THE SECRETARY +1 Voice 440415624835. (500} 363-1019 Of?ce for Civil Rights, Region IV TDD-14041 5523334. (3001 53107039? 61 Street, S.W. {404} 5524mm Atlanta Federal Center, Suite 16T70 Atlanta, GA 30303-8909 September 28, 201 {13115111310103} {bll?libllilici Privacy Adviser CVS Careka '33501 East Shea Scottsdale, AZ. 35 260 Re: {bumbling .vs. CVS Phannacvt'CVS Caremark OCR Reference Number: 11-12823?) {1311511131171 {bii?iibilii Dear and {ct On June 3, 2011, the US. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) received a complaint from - lleging that CVS Pharmacyt?CVS Caremark is in violation of Federal Standards for Privacy of individually Identi?able Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts, A, C, and E, the Privacy and Security Rules). Speci?cally Complainant, alleges that CVS Pharmacy (hereinafter, impennissibiy used and potentially impermissiny disclosed her protected health information when during almost the entire calendar year of 2008, CVS ?led her prescription claims with the county of Horry, South Carolina, and not Medicare. Also, aw) alleges that failed to mitigate the consequences of this incident, despite being noti?ed by Complainant and admitting to this mistake. Allegedly, CVS instructed to try ?xing the consequences of this incident on her own. These allegations could re?ect potential violations of 4S C.F.R. and and 164.5306), respectively. OCR enforces the Privacy and Security Rules, and also enforces Federal civil rights laws that prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and, under certain circumstances, sex and religion. The Privacy Rule states that a covered entity may not use or disclose PHI, except as permitted or required by the Rule. See 45 CF. R. The Privacy Rule also mandates that a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. See 45 GER. 59164. 530(c)(l). Additionally, a covered entity is required to reasonably safeguard PHI to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. See 45 CFR. 16453003) (2). The HIPAA Privacy Rule mandates that a covered entity provide a process for individuals to make complaints concerning the covered entity?s policies and procedures required by HIPAA or its compliance with such policies and procedures or the requirements of HIPAA. See 45 CFR. 164.530(d) Furthermore, a covered entity is required to mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of PHI in violation of its policies and procedures or the requirements of HIPAA by the covered entity or its business associate. See 45 C.F.R. 16453009. OCR notified CVS Phanrtacy of the complaint ?led by Complainant. noti?cation to CVS Pharmacy included a written request for the results of their review of the complaint?s allegations. OCR also requested a copy of CVS Pharmacy?s policies and procedures with reSpect to the impermissible use and disclosure of PHI, the safeguarding of PHI and the policies governing the mitigation steps taken by the covered entity should an impermissible disclosure of PHI occur. Ithe Privacy Adviser for CVS Caremark, responded initially to written request for information on behalf of the covered entity on August 24, 201 1. In the response, submitted copies of the requested policies, procedures, and practices that are the subject of the investigation, which are necessary for OCR to determine whether it is complying with the applicable provisions of the Privacy Rules. CVS Caremark provided evidence that they had internally reviewed and mitigated the allegations in this complaint. CVS Caremark?s position is that the allegations did have merit in that Complainant?s prescriptions were, in fact, processed under the incorrect account during the 2003 billing year. However, in the midst of this error, CVS Caremark has con?rmed that Complainant?s identifying information was not shared nor was it impennissibly disclosed to any third parties. Nevertheless, CVS Caremark did note that the list of the prescriptions would have been listed under another account statement, but that no identifying information would have been listed on this account statement for the prescription charges in 2008. CVS Caremark?s position also states that if the incident occurred as alleged, the actions relating to the incorrect billing of (bliallbm prescriptions under the wrong account in 2003 would not be in compliance with their internal policies and procedure governing impermissible use and disclosure of PHI as well as the safeguarding of the same. As previously stated, 45 CFR. 164.502(a) states, in part, that a covered entity may not use or disclose PHI, except as permitted by the HIPAA Privacy Rule. Please further note that 45 C.F.R. states, in part, that a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. analysis of the information gathered through our investigation discloses that the handling of prescription bills by CVS Caremark during the billing year 2008 was not in compliance with CVS Caremark?s policies and procedures in place that govern the impermissible the use of PHI, as well as, the safeguarding of PHI. Pursuant to investigation, CVS Caremark took the following corrective measures to demonstrate its willingness to voluntarily comply with the citied provisions of the Privacy Rule: The Privacy Staff at CVS Caremark determined that the Wprescriptions were processed under the incorrect health plan. It was determined that there was a difference in the costs between what paid for her prescriptions in 2008, and what she would have paid had they been billed under the correct health plan, Blue Cross Blue Shield of south Carolina. CVS Caremark sent a check for the difference between what she paid and what she should have hem charged for her prescriptions. Additionally, mitigation steps were taken in 2009, to prevent the billing error that occurred from happening again in the future. There have been no further allegations, which show that prescriptions have been billed erroneously since 2008. Also, there is no evidence showing that the billing error resulted in the compromising of her identifying information in 2003, through the present. Based on the foregoing, we have determined that the corrective action measures taken by the CVS Caremark are suf?cient to effectively resolve the issues raised by Complainant, and furthermore demonstrate CVS Caremark?s willingness to voluntarily comply with the applicable provision of the Privacy Rule. As part of its investigation, OCR also reviewed the covered entity?s internal policies and procedures applicable to and and l64.530(f) of the HIPAA Privacy Rule. Our review of the same deems them to be compliant with the Privacy Rule. Therefore, OCR has determined that all matters raised by this complaint, at the time it was ?led, have now been resolved through voluntary compliance actions of CVS Caremark. We are accordingly closing this case. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect the information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions, please contact Anitra Moreland, Investigator, at (404] 562-7521 (Voice), or (404) 562?7334 (TDD). Sincerely, $3??er Roosevelt Freeman Regional Manager