DEPARTMENT OF HEALTH HUMAN SERVICES Office of the Secretary Voice - (404) 562?7836, {800) 368-1019 Of?ce for Civil Rights, Region IV TDD - (404) 5623384, (800} Atlanta Federal Center, Suite Fax - {404) 562-7381 16T70 61 Forsym Street, SW. Atlanta, GA 30303 May 17, 2013 Chief Privacy Of?cer CVS Caremark Corp. One CVS Drive Woonsocket, RI 02895 {bli?lIblUlICl Re: vs oce Transaction Number: 12-145741 Dear On July 13, 2012, the U.S. Department of Health and Human Se for Civil Rights (OCR), Region IV, received a complaint filed by (Complainant) alleging that CVS Caremark, Pharmacy, the covered entity (CE), located at 3910 Hardy Street, in Hattiesburg, MS has violated the Federal Standards for Privacy of Individually Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, the complaint alleges that the CE imermissibl disclosed Complainant?s protected health information (PHI) to by failing to apply appropriate safeguards to protect her PHI from im ermissible uses and/or disclosures. In particular, Complainant alleges thatoti?ed her via telephone that when he went in to pick up his meds, her PHI was enclosed with his medication. These allegations could reflect a violation of 45 C.F.R. 164.502(a) and OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. The Privacy Rule permits certain incidental uses and disclosures of PHI that occur as a lay-product of another permissible or required use or disclosure of PHI, as long as the CE has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. (See 45 C.F.R. For example, the Privacy Rule permits covered health care providers to share PHI for treatment purposes without patient authorization as long as they use reasonable safeguards when doing so. These safeguards may vary depending on the mode of communication used. For example, when discussing PHI orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering hislher voice. In this matter, the Complainant alleges the incidental use or disclosure of PHI was not permissible, either because reasonable safeguards were not in place to prevent the use or disclosure andfor because the minimum necessary standard was not implemented when it should have been. Pursuant to its authority under 45 C.F.R. 160.304(a) and OCR has determined to resolve this matter informally through the provision of technical assistance to CVS Caremark, Pharmacy. To that end, OCR has enclosed material explaining the Privacy Rule provisions related to Incidental Uses and Disclosures, Reasonable Safeguards, and the Minimum Necessary requirement. You are encouraged to review these materials closely and to share them with your staff as part of the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your workforce. You are also encouraged to assess and determine whether there may have been an incident of noncompliance as alleged by the complainant in this matter, and, if so, to take the steps necessary to ensure such noncompliance does not occur in the future. Please contact OCR if you need further information regarding the allegations in this matter. Should OCR receive a similar allegation of noncompliance against CVS Caremark, Pharmacy in the future, OCR may initiate a formal investigation of that matter. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Ms. Ingrid Dove, Investigator, at (404) 562-7877(Voice) or (404) Sincerely, .4) W'Roosev It Freeman Regional Manager Enclosures: Incidental Disclosures Reasonable Safeguards Minimum Necessary DEPARTMENT OF HEALTH 3: HUMAN SERVICES Of?ce of the Secretary '5 In. . . . Voice - (404) 562-7886, (300) 363-1019 Office for CIVII Too - (404) 562-7834. (300) 53?-?69? Reglon IV Fax - {404) 562-?881 Center: :wawhhs. ovl'oor 61 Street? 3w. Atlanta. GA 30303 May 17, 2013 6 . Re: i it it iti?llCi I OCR Transaction Number: 12-145741 {blt?ltbitfll?ll Dear On July 13, 2012, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR), Region IV, received your complaint, alleging that CVS Caremark, Inc./ CVS Pharmacy, the covered entity (CE), located at 3910 Hardy Street, in Hattiesburg, MS. has violated the Federal Standards for Privacy of Individually Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, you allege that on or around June 24 impermissiny disclosed your protected health information (PHI) {bm'ibmc} another CVS customer, by failing to apaly appropriate safeguards to protect your PHI. In particular, you allege that noti?ed you via telephone that when he went in to pick up his meds, your PHI was enclosed with his medication. These allegations could re?ect a violation of 45 C.F.R. 164.502(a) and . Thank you for bringing this matter to OCR's attention. Your complaint plays an integral part in enforcement efforts. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. The Privacy Rule permits certain incidental uses and disclosures of PHI that occur as a by-product of another permissible or required use or disclosure of PHI, as long as the CE has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 C.F.R. For example, the Privacy Rule permits covered health care providers to share PHI for treatment purposes without patient authorization as long as they use reasonable safeguards when doing so. These safeguards may vary depending on the mode of communication used. For example, when discussing PHI orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering hisfher voice. We have carefully reviewed your complaint against CV5 Caremark, IncJ CV5 Pharmacy and have determined to resolve this matter informally through the provision of technical assistance to CV5 Caremark, Inc./ CV5 Pharmacy. Should OCR receive a similar allegation of noncompliance against CVS Caremark, Inc./ CV5 Pharmacy in the future, OCR may initiate a formal investigation of that matter. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this ietter and other information about this case upon request by the public. In the event OCR receives such a request, we wili make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you. have any questions regarding this matter, please contact Ms. Ingrid Dove, Investigator, at (404) 562-7877(Voice) or (404) incerely, 1 R005 velt Freeman Regional Manager