wt, 
d?

 

$5 01?
5 DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY
96a; Voice - (404) SSE-T386, (800) 363-1019 Of?ce for Civil Rights, Region IV
 TDD - (404} 562-?884. (300} 53?-?697 61 Street, aw.
(FAX) (404} 562-?88! Atlanta Federal Center, Suite 16TH)
Atlanta, GA 303 03-8909
September 25, 2012

Attn: Privacy Of?cer
CVS Pharmacy

507'0 1-55 North
Jackson, MS 39211

Re: {blisiibim'm vs. CVS Pharmacy
OCR Transaction Number: lit-146746

Dear Privacy Of?cer:

On July 27, 2012, the US. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), Region IV received a complaint alleging that CVS Pharmacy (hereinafter,
has violated the Federal Standards for Privacy of Individually Identi?able Health
Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, the
complaint alleges that CVS impermissiny disclosed the protected health information of
Complainant when on June 16, 2012, a CVS pharmacist and technician discussed Complainant?s
PHI in front of other, non-employee individuals. This allegation could re?ect a violation of 45
CPR. 164.502(a) and 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

The Privacy Rule permits certain incidental uses and disclosures of protected health information
(PHI) that occur as a by-product of another permissible or required use or disclosure of PHI, as
long as the covered entity has applied reasonable safeguards and implemented the minimum
necessary standard, where applicable, with respect to the primary use or disclosure. See 45
CPR. For example, the Privacy Rule permits covered health care providers
to share PHI for treatment purposes without patient authorization as long as they use reasonable
safeguards when doing so. These safeguards may vary depending on the mode of
communication used. For example, when discussing patient health information orally with
another provider in proximity of others, a doctor may be able to reasonably safeguard the
information by lowering hisfher voice.

In this matter, the complainant alleges the incidental use or disclosure of PHI was not
permissible, either because reasonable safeguards were not in place to prevent the use or

 

 

 

disclosure andz'or because the minimum necessary standard was not implemented when it should
have been. Pursuant to its authority under 45 C.F.R. 160.304(a) and OCR has determined
to resolve this matter informally through the provision of technical assistance to CVS. To that
end, OCR has enclosed material explaining the Privacy Rule provisions related to Incidental
Uses and Disclosures, Reasonable Safeguards, and the Minimum Necessary requirement.

You are encouraged to review these materials closely and to share them with your staff as part of
the Health Insurance Portability and Accountability Act (I-IIPAA) training you provide to your
workforce. You are also encouraged to assess and determine whether there may have been an
incident of noncompliance as alleged by the complainant in this matter, and, if so, to take the
steps necessary to ensure such noncompliance does not occur in the future. Please contact OCR
if you need ?rrther information regarding the allegations in this matter. Should OCR receive a
similar allegation of noncompliance against CVS in the future, OCR may initiate a formal
investigation of that matter.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Sonya Hana?, Investigator, at
(404) 562-7876 (Voice), (404) 562-7884 (TDD).

Sincerely,

oosevelt Freeman
Regional Manager
OCR Region IV
Enclosures: Incidental Disclosures

Reasonable Safeguards
Minimum Necessary

 

 

 

 

sEJl VI
till. 

 

.85 it"
DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY
Voice - [404} 562-?386. (300} 368-1019 Of?ce for Civil Rights, Region IV
 TDD - (404} 552-7334. (soc) 53?-?69? 61 Street, sw.
(FAX) (404} 562-7331 Atlanta Federal Center, Suite 16T70
Atlanta, GA 30303-8909
September 25, 2012
(bli5llbli7liCl

 

 

 

 

Re: _{bi{63={bi{iim vs. CVS Pharmacy
OCR Transaction Number: 12?1467'46


Dear {cl

 

 

 

 

On July 27, 2012, the US. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), Region IV received your complaint alleging that CVS Pharmacy (hereinafter,
the covered entity, has violated the Federal Standards for Privacy of Individually
Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy
Rule). Speci?cally, you allege that CVS impermissibly disclosed your protected health
information when on June 16, 2012 a CVS technician approached the pharmacist, who
was in discussion with friends, and discussed your PHI in front of these non-employee
individuals. This allegation could re?ect a violation of 45 C.F.R. 164.502(a) and 

Thank you for bringing this matter to OCR's attention. Your complaint plays an integral part in
enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

The Privacy Rule permits certain incidental uses and disclosures of protected health information
that occur as a by-product of another permissible or required use or disclosure of PHI, as
long as the covered entity has applied reasonable safeguards and implemented the minimum
necessary standard, where applicable, with respect to the primary use or disclosure. See 45
CPR For example, the Privacy Rule permits covered health care providers
to share PHI for treatment purposes without patient authorization as long as they use reasonable
safeguards when doing so. These safeguards may vary depending on the mode of
communication used. For example, when discussing patient health information orally with
another provider in proximity of others, a doctor may be able to reasonably safeguard the
information by lowering hisfher voice.

 

 

 

We have carefully reviewed your complaint against CVS and have determined to resolve this
matter informally through the provision of technical assistance to CVS. Should OCR receive a
similar allegation of noncompliance against CVS in the future, OCR may initiate a formal
investigation of that matter.

Based on the foregoing, OCR is closing this case without ?nther action, effective the date of this
letter. OCR?sdetermination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Sonya Hanafi, Investigator, at
(404} 562-7876 (Voice), (404) 562-7334 (TDD).

Sincerely,

lufle velt Freeman
Regional Manager
OCR Region Iv