I In?;



1.0 



DEPARTMENT OF HEALTH 8: HUMAN SERVICES

Of?ce of the Secretary

 

Voice - (404) 562-?886. (800} 368-1019
TDD - (404) 562-7884, (800) 53?-7697
Fax - {404) 562-?881


 

June 28, 2013
(bli?llbliilicl

 

 

 

 

ibii?l,ibii7liCl

CVS Pharmacy

Adviser, Government and Privacy
One CVS Drive

Woonsockct, RI 02895

 

 

 

 

Re: lvs. CVS Pharman

OCR Transaction Number: 12-13706?

Dear and

 

 

.

 

 

 

 

Of?ce for Civil Rights. Region IV
Atlanta Federal Center, Suite
16T70

61 Street, SW.
Atlanta, GA 30303

On December 20, 2011, the US. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR) received a complaint alleging that CVS Pharmacy, Store #393, is not in
compliance with the Federal Standards for Privacy of Individually Identi?able Health
Information andfor the Security Standards for the Protection of Electronic Protected Health
Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security
Rules), and the Breach Noti?cation Rule Subpart - Noti?cation in Case of Breach of
Unsecured Protected Health Information (45 C.F.R. 

 

 

 

 

Complainant, ?led this complaint on behalf of her mother,

 

(bli?lIDJUllCl
. . .
The Complainant alle es that her mother prescription had been mistakenly
given to anot er individual I in error. Idate of birth is

 

May 5, 1921 and ibii?iibiUiiC)
provided with libliE Liblii?liCl

 

 Jyear of birth is 1950

 

 

I had been

medication on a previous occasion and has had to correct

the CVS Pharmacy staff after receiving the incorrect medication. These allegations could re?ect
potential violations of 164.514th), 

and 164.5300), respectively.

Please note that 45 C.F.R. 164.502(a) states, in part, that

a covered entity may not use or

disclose PHI, except as permitted by the HIPAA Privacy Rule. 45 C.F.R. ?164.514(h) states, in
part, that a covered entity must verify the identity of a person requesting protected health

information and the authority of any such person to have access to protected health information,
if the identity or any such authority of such person is not known to the covered entity. 45 CPR.
states, in part, that a covered entity must have in place appropriate administrative,
technical, and physical safeguards to protect the privacy of protected health information. 45
CPR states in part, that a covered entity must provide a process for individuals
to make complaints concerning the covered entity's policies and procedures required by this
subpart or its compliance with such policies and procedures. According to 45 C.F.R.
a covered entity must document all complaints received, and their disposition
45 CPR. ?164.530(f) states, in part, that a covered entity must mitigate, to the extent
practicable, any harmful effect that is known to the covered entity of a use or disclosure of
protected health information in violation of its policies and procedures.

OCR enforces the Privacy, Security and Breach Noti?cation Rules, and also enforces Federal
civil rights laws that prohibit discrimination in the delivery of health and human services because
of race, color, national origin, disability, age, and, under certain circumstances, sex and religion.

OCR noti?ed CVS Pharmacy of the complaint ?led by Complainant. This noti?cation, which is
initial written communication with the covered entity about the complaint, described the
acts that are the basis of the complaint. noti?cation to CVS Pharmacy included a written
request for the results of their review of the complaint?s allegations. OCR also requested a copy
of CVS Pharmacy?s procedures with res ect to eci?c procedures relating to the handling of
PHI belonging to their the Government and Privacy Advisor for
CVS Pharmacy, reaponded to written request for information on behalf of the covered
entity.

 

In the response,ubmitted cepies of the requested policies and procedures that are
the subject of the investigation, which are necessary for OCR to determine whether it is
complying with the applicable provisions of the Privacy, Security and Breach Notification Rules.
reports that based on its internal investigation that pertions of the original allegations
did have merit in that there have been instances has received the
medication belonging analysis of the information gathered
through our investigation discloses that the actions of having the medication belonging to one

patient provided to an unauthorized third party would be deemed as an incident disclosure of
PHI. An internal investigation reveals that although the provision of [medication

to was unintentional, it did cause an impermissible disclosure I

protected health information.

 

 

analysis of the information gathered through our investigation re?ects that there was in
fact a potential violation of the HIPAA Privacy Rule by way of the impermissible disclosure of
protected health information. Due to this ?nding, CVS Pharmacy took the
following corrective measures to demonstrate its willingness to ensure their voluntarily
compliance with the citied provisions of the Privacy Rule: (aretumed the
prescription to CVS Pharmacy after it was provided to her in error; The pharmacy staff at
Store #3973 was retrained on the HIPAA Privacy, Security and Breach Noti?cation Rules; 
The pharmacy staff was also retrained on the internal policies and procedures related to the
handling of Privacy complaints; and Additional veri?cation processes have been

implemented to ensure accuracy with the medications provided.

Based on the foregoing, we have determined that the corrective action measures taken by CVS
Pharmacy sufficient to effectively resolve the issues raised by Complainant, and furthermore
demonstrate CVS Phannacy?s willingness to voluntarily comply with the applicable provision of
the Privacy, Security and Breach Noti?cation Rules. As part of its investigation, OCR also
reviewed the covered entity?s internal policies and procedures applicable to 
16451401), and 164.5300) of the HIPAA Privacy
Rule. Our review of the same deems them to be compliant with the Privacy Rules.

Based on the foregoing, all matters raised by this complaint at the time it was ?led have now
been resolved through the voluntary compliance actions of CVS Pharmacy. Therefore, OCR is
closing this case.

determination as stated in this letter applies only to the allegations in this complaint that
were reviewed by OCR. OCR only reviewed the evidence submitted pertinent to resolving the
issues raised in the complaint.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Anitra Moreland, Investigator, at
(404) or (404) 562-7884 (TDD).

   

Sincerely,

stevelt Fr e?man

Regional Manager