93? 1immune?;

 

 DEPARTMENT OF HEALTH 3: HUMAN SERVICES Of?ce of the Secretary
?is . . .
m" Voice - (404) 562-7386, (800) 368-1019 Of?ce for Civil Rights,
TDD - (404} 562-7334, (300) 537-7697 Region yet]
Fax - {404) 562-2881 61.7091'3' Centers
61 Street. SW.

Atlanta. GA 30303

July 3, 2012

 



Chief Privacy Of?cer
CVS Caremark

P.O. Box 52072
Phoenix, AZ 85072-2072

 

 

 

 

 

 

 


Re: vs. CVS Caremark

OCR Transaction Number: 11-135023
Dear {blistibimici

On August 23, 2011, the US. Department of Health and Human Serv,
Of?ce for Civil Rights (OCR), Region IV, received a complaint ?led by (?Emma

Ileging that the CVS Caremark Pharmacy the covered entity (CE),
located on 38?? Avenue in Beach, South Carolina has violated the Federal
Standards for Privacy of Individually Identi?able Health Information (45 C.F.R.
Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, the
Complainant alleged that on August 8, 2011, a employee impermissiny
disclosed the protected health information (PHI) of patients by using the patients?
full names and discussing the name and type of medication being prescribed for
the patients. This allegation could re?ect a violation of 45 C.F.R. 164.502(a)
and 

 

 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also
enforces Federal civil rights laws which prohibit discrimination in the delivery of
health and human services because of race, color, national origin, disability, age,
and under certain circumstances, sex and religion.

The Privacy Rule permits certain incidental uses and disclosures of protected health
information (PHI) that occur as a by-product of another permissible or required
use or disclosure of PHI, as iong as the covered entity has applied reasonable
safeguards and implemented the minimum necessary standard, where applicable,
with respect to the primary use or disclosure. See 45 C.F.R. 
For example, the Privacy Rule permits covered health care providers to share PHI

 

 

for treatment purposes without patient authorization as long as they use 
reasonable safeguards when doing so. These safeguards may vary depending on
the mode of communication used. For example, when discussing patient health
information orally with another provider in proximity of others, a doctor may be
able to reasonably safeguard the information by lowering his/her voice.

In this matter, the complainant alleges the incidental use or disclosure of PHI was
not permissible, either because reasonable safeguards were not in place to prevent
the use or disclosure andfor because the minimum necessary standard was not
implemented when it should have been. Pursuant to its authority under 45 C.F.R.
160.304(a) and OCR has determined to resolve this matter informally
through the provision of technical assistance to CVS Caremark Pharmacy. To that
end, OCR has enclosed material explaining the Privacy Rule provisions related to
Incidental Uses and Disclosures, Reasonable Safeguards, and the Minimum
Necessary requirement.

You are encouraged to review these materials closely and to share them with your
staff as part of the Health Insurance Portability and Accountability Act (HIPAA)
training you provide to your workforce. You are also encouraged to assess and
determine whether there may have been an incident of noncompliance as alleged
by the complainant in this matter, and, if so, to take the steps necessary to ensure
such noncompliance does not occur in the future. Please contact OCR if you need
further information regarding the allegations in this matter. Should OCR receive a
similar allegation of noncompliance against CVS Caremark Pharmacy in the future,
OCR may initiate a formal investigation of that matter.

Based on the foregoing, OCR is closing this case without further action, effective
the date of this letter. determination as stated in this letter applies only to
the allegations in this complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter
and other information about this case upon request by the public. In the event
OCR receives such a request, we will make every effort, as permitted by law, to
protect information that identi?es individuals or that, if released, could constitute a
clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Ms. Ingrid Dove,
Investigator, at (404) 562-7877(Voice) or (404) 

Sincerely,_ -

sev?lt ?gs)

Regional Manager

 
  

Enclosures: Incidental Disclosures
Reasonable Safeguards
Minimum Necessary

 

 

 DEPARTMENT OF HEALTH 3. HUMAN SERVICES Of?ces the Secretary
'5

Voice - {404) 562-7886, (80(1) 368-1019 Of?ce for Civil Rights. Region IV
TDD - {404) 562-?384, [800) sat-?res? Atlanta Federal Center, Suite
Fax - (404) 5624881 16TTO

31 Forsy?'l Street? s_w_

Atlanta, GA 30303

 

 

 

 

 

 

 

July 3, 2012

Re: vs. gammark 

 

OCR Transaction Number: 11-135023

 

{mimth
Dear 

 

 

 

On August 23, 2011, the U.S. Department of Heaith and Human Services (HHS),
Of?ce for Civil Rights (OCR), Region IV, received your complaint alleging that CVS
Caremark Pharmacy the covered entity, located on 38th Avenue in 
Beach, South Carolina, has violated the Federal Standards for Privacy of
Individually Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts
A and E, the Privacy Rule). Speci?cally, you allege that on August 8, 2011, a
employee impermissiny disclosed the protected health information (PHI) of
patients by using the patients? full names and discussing the name and type of
medication being prescribed for the patients. This allegation could re?ect a
violation of 45 C.F.R. 164.502(a) and 

Thank you for bringing this matter to attention. Your complaint plays an
integral part in OCR's enforcement efforts. -

OCR enforces the Privacy, Security, and Breach Notification Rules, and also
enforces Federal civil rights laws which prohibit discrimination in the delivery of
health and human services because of race, color, national origin, disability, age,
and under certain circumstances, sex and religion.

The Privacy Rule permits certain incidental uses and disclosures of protected health
information (PHI) that occur as a by-product of another permissible or required use
or disclosure of PHI, as long as the covered entity has applied reasonable
safeguards and implemented the minimum necessary standard, where applicable,
with respect to the primary use or disclosure. See 45 C.F.R. 
For example, the Privacy Rule permits covered health care providers to share PHI
for treatment purposes without patient authorization as long as they use reasonable
safeguards when doing so. These safeguards may vary depending on the mode of
communication used. For example, when discussing patient health information

 

 

orally with another provider in proximity of others, a doctor may be able to
reasonably safeguard the infOrmation by lowering his/'her voice.

We have carefully reviewed your complaint against CVS Caremark Pharmacy and
have determined to resolve this matter informally through the provision of technical
assistance to CVS Caremark Pharmacy. Should OCR receive a similar allegation of
noncompliance against CVS Caremark Pharmacy in the future, OCR may initiate a
formal investigation of that matter.

Based on the foregoing, OCR is closing this case without further action, effective
the date of this letter. OCR's determination as stated in this letter applies only to
the allegations in this complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter
and other information about this case upon request by the public. In the event OCR
receives such a request, we will make every effort, as permitted by law, to protect
information that identifies individuals or that, if released, could constitute a clearly
unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Ms. Ingrid Dove,
Investigator, at (404) 562-7877(Voice) or (404) 

Sincerely,


- 

 kw

.2


"Bl?Roosevelt ll/=reema 
Regional Manager