it

ails-?Ta.



ant-uh?;

DEPARTNIENT OF HEALTH HUMAN SERVICES 09509 0? ?13 3mm?

 

Voice - {404} 562-7886, (860) 368-1619
TDD - (404] 562-7884, (800} 537-769?
Fax - (404) 562-?881

aggw'ggr

Of?ce for Civil Rights, Region IV
Atlanta Federal Center, Suite
16T76

61 Forsth Street, SW.
Atlanta, GA 30303

July 30, 2013

 

{bll?libllilicl

 

 

 

{bli?libliillcl

 

 

Senior Privacy Consultant
CVS Caremark Corp.
9501 East Shea Blvd.
Scottsdale, AZ 85260

 

 

 

 

 

Re: ?whim vs VS Caremark Co .
OCR Transaction Number: 12-145917
{bli?liblIIlICl
{bli?liblii?l
Dear {Cl and

 

 

 

On June 29, 2012, the U.S. Department of Health and Human Services (CVSS), Of?ce for

Civil Rights (OCR) received a complaint ?led by(Complainant), alleging

that CVS Caremark Corp. Pharmacy, the covered entity (CE), Store 3589,
located at 6131 Six Forks Road, Raleigh, North Carolina, is not in compliance with the Federal
Standards for Privacy of Individually Identi?able Health Information andfor the Security
Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and
164, Subparts A, C, and E, the Privacy and Security Rules), and the Breach Noti?cation Rule
Subpart - Noti?cation in Case of Breach of Unsecured Protected Health Information 
C.F.R. 

The complaint alleges that violations of the Privacy Rule occurred on June 19, 201 1, wherein
the CE failed to utilize reasonable safeguards resulting in the impermissible disclosure of her

- PHI, without prior authorization. Speci?cally, Complainant alleges that the pharmacy was

unable to locate her prescriptions when she came to pick them up. Complainant alleges that the
clerk asked her for the names of the medications, and she wrote them down. After writing the
name of the meds, Complainant alleges that the clerk loudly repeated them to the pharmacist
such that patients and other staff in the area, who did not have a need to know, could

overhear. After going to the consultation area, Complainant alleges that she again asked that
the names of medications not be stated out loud, yet the pharmacist did so three times.
Complainant ?nther alleges that she then sought to complain to the Pharmacy Manager, who
failed to address her concerns, or to contact her regarding the claim. These allegations could

 

 

re?ect potential violations of 45 C.F.R. 164.502 [uses and disclosures of 164.530 
[safeguards], and 164.530 [complaints to the respectively.

OCR enforces the Privacy, Security and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

The Privacy Rule (the Rule) states that a CE may not use or disclose PHI, except as permittedor
required by the Rule. (See 45 C.F.R. must also have in place appropriate
administrative, technical, and physical safeguards to protect the privacy of PHI. (See 45 C.F.R.
This standard requires that CBS make reasonable efforts to prevent uses and
disclosures of PHI that are not permitted by the Rule. Accordingly, the Rule also requires that
CBS implement reasonable safeguards to limit incidental uses or disclosures of PHI. (See 45
CFR The Rule further provides that a CE must provide a process for individuals
to make complaints concerning the policies and procedures required by the Rule, or its
compliance with such policies and procedures. (See 45 CPR. 

'In correspondence dated June 12, 2013, OCR noti?ed CE of the complaint ?led against the CE.
In addition, OCR reported the allegations in the complaint and requested a written statement
addressing its internal investigation. OCR also requested a copy of policies and procedures
related to the aforementioned regulatory citations. While notice was sent via e-mail to
WSenior Privacy Manager, CVS responded to request in corres - ndence
dated June 18, 2013, submitted by Ilblieliblmicl Senior Privacy Consultant.

?33$?an submitted the investigative ?ndings, and acknowledged that a privacy infraction
occurred. A letter of apology was issued by CE to Complainant regarding the privacy breach
and UPS tracking mnnber provided to con?rm submission to Complainant.

 

examination of this matter reveals that Complainant contacted CE regarding her
complaint and that the CE conducted an investigation of her claim on June 22, 2012, after
customer care noti?ed the privacy team of the incident. As a result, consistent with
requirements for sanctions at 45 ?164.530 the affected employee received written
sanction regarding her behavior, which served as a ?nal written warning. The employee was
advised that termination was the next step, should another incident be reported. CE also
submitted documentation of the written waming to OCR. In addition, consistent with
requirements for training at 45 CPR. ?164.530 the affected employee received remedial
HIPAA training regarding usage of reasonable safeguards to ensure protection of patient PHI.
CE submitted documentation of training of the affected employee. OCR provided technical
assistance to CE regarding its complaint process, training, and sanctions to ensure that similar
incidents are prevented or addressed more expeditiously.

Based on the foregoing, OCR is closing its ?le on this complaint. determination as stated
in this letter applies only to the allegations in this complaint that were reviewed by OCR.

 

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please contact Ms. Ingrid Dove, Investigator, at (404) 562-?8?77
(Voice), or (404) 562-? 8 84 (TDD).

Sincerely,

was/6 62. 
44% Linda You Connor
Acting Regional Manager