all?!
l'r?ll ?to

 

 

up

 DEPARTMENT or HEALTH 3.: HUMAN SERVICES Of?ce ?the Secretary

?6

?3

?see voice (404) 562-7836, (soc) sea-101s Of?ce for Civil Rights. Region

TDD - {4'34} 552-7334i (309) 5373697 Atlanta Federal Center, Suite
Fax - (404) 562-7881 16170
61 Street, SW.

Atlanta. GA 30303

December 28, 2012



 

 

 

 

 


CVS - Careka

9501 E. Shea Blvd.
Scottsdale, AZ 85260

 

RE: v1 CV8

Reference No: 12-143514

 

 

Dear and 

 

 

 

 

 

 

On May 17, 2012, the Department of Health and Human Services (HHS), Of?ce for Civil Rights
(OCR) received a complaint from Ialleging non-compliance with the Federal
Standards for Privacy of Individually Identi?able Health Information andfor the Security
Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and
164, Subparts A, C, and E, the ?Privacy and Security Rules?) and the Breach Noti?cation Rule
Subpart - Noti?cation in Case of Unsecured Protected Health Information 
(45 can. alleged that her PHI was disclosed when the
pharmacy clerk gave out her prescription information in a loud voice in front of other customers.
These allegations could potentially re?ect a violationof the Privacy Rule. See 45 CPR. 
164.502(a) and 

 

 

OCR enforces the Privacy, Breach Noti?cation and the Security Rules, and also enforces Federal
civil rights laws that prohibit discrimination in the delivery of health and human services because
of race, color, national origin, disability, age, and, under certain circumstances, sex and religion.

The Privacy Rule states that a covered entity may not use or disclose protected health
information except as permitted or required by the Privacy Rule. See 45 C.F.R 
The Privacy Rule also mandates that a covered entity must have in place appropriate
administrative, technical, and physical safeguards to protect the privacy of protected health
information. See 45 CPR. 

 

  

 

 

On ly 13, 2012, OCR noti?ed CVS (hereinafter, of the privacy complaint ?led by
Eggs; and requested certain documents and information related to the facts alleged. On
November 27, 2012, CVS provided a detailed response to the allegations, along with its HIPAA
training materials, provisions of its personnel manual, and its confidentiality policies, and
various other policies related to this matter.

 

From our review of the relevant documents and allegations, it appears that Complainant sought
to pick up her prescription medication at a CVS store, located in Summerville, SC. 29483. When
she inquired whether it was ready, the clerk responded that one of her medications was not ready,
referencing it by name. This was disclosed in what Complainant and CVS both agree was at a
volume level that was suf?cient for others around to hear. Previously, she had been asked to
orally provide a name and birth date, and after the discloSure of the medication, Complainant felt
that her privacy had been unnecessarily disclosed to the several other individuals waiting for
service. Complainant has a professional standing in the community, and she felt that disclosures
such as this could jeopardize it. When she brought this to the attention of the employee, the

employee was dismissive of her concerns. The particular store had no other documented
incident since 2010.

After this incident came to attention, CVS followed its corrective action policies
approved in numerous previous OCR Complaints. The store manager spoke to Complainant to
apologize and acknowledge the store?s error. The entire pharmacy staff was retrained on 
Privacy Rule policies. The Speci?c employee was counseled, and the incident documented for

her personnel ?le. However, the employee subsequently left CVS for reasons other than this
incident.

policy is to have its employees protect their patient?s PHI by speaking in soft voices.
A?er discussions, CVS has agreed to provide a note at this particular store informing
customers that they have a right to not answer authentication questions out loud, but to provide
authentication by showing an ID or by supplying written answers. The note will be used for the
next few months. CVS indicated that it would review its entire privacy policies, and that it may
seek another procedure in place of the note if this review determines a more effective procedure
can be implemented. Although an unauthorized disclosure may have occurred, it does appear
that CVS has complied with the voluntary compliance procedures that OCR has approved in
many prior cases. Accordingly, OCR is closing this case.

determination as stated in this letter applies only to the allegations in this complaint that
were reviewed by OCR. OCR only reviewed the evidence of record pertinent to resolving the
issues raised by you in the aforementioned complaint.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

 

i
If you have any questions regarding this matter, please ipontact Elliott Sehwalb at (404) 562-2790
(Voice) or (404} 562-?384 (TDD). 

Sincerely, 

   

Roosevelt iFree an
Regional Manager