DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY

Office for Civil Rights, Region 
150 5. Independence Hall West
Public Ledger Building, Suite 372
Philadelphia, PA 19106?3499

Voice? (215) 861-4441
TDD (215) 361-4440
FAX - (215) 861-4431
Worm

Reference: 152410
Investigator: Elizabeth Benson
Contact Telephone: 215-861-442?

February 22, 2013

 



 

 

 

Privacy Kdvisor, CVS Caremark
PO Box 52072
Phoenix, AZ 85022-2072

$33.0?le .cvs (2400 Aramingo Avenue, Philadelphia, PA)
OCR Transaction Number: 152410

 

{bll?libllil
Dear 

 

 

 

On December 4 2012, the U.S. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), Region 3 received a complaint alleging that the CVS located at 2400
Aramingo Avenue in Philadelphia has violated the Federal Standards for Privacy of Individually
Identi?able Health Information (45 C.F.R. Parts 160 and 164, $11pr A and E, the Privacy
Rule). Speci?cally, the complainant alleges during a pharmacy visit on July 21, 2012, his full
driver?s license number was written next to his prescription information on the pharmacy log that
customer?s are required to sign. This allegation could re?ect a violation of 45 C.F.R. 
164.502(a) and 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

The Privacy Rule permits certain incidental uses and disclosures of protected health information
(PHI) that occur as a by-product of another permissible or required uselor disclosure of PHI, as
long as the covered entity has applied reasonable safeguards and implemented the minimum
necessary standard, where applicable, with respect to the primary use or disclosure. See 45
C.F.R. For example, the Privacy Rule perruits covered health care providers
to share PHI for treatment purposes without patient authorization as long as they use reasonable
safeguards when doing so. These safeguards may vary depending on the mode of
communication used. For example, when discussing patient health infermation orally with
another provider in proximity of others, a doctor may be able to reasonably safeguard the
information by lowering his/her voice.

In this matter, the complainant. alleges the incidental use or disclosure of PHI was not
permissible, either because reasonable safeguards were not in place to prevent the use or

disclosure andfor because the minimum necessary standard was not implemented when it should
have been. Pursuant to its authority under 45 160.304(a) and OCR has determined
to resolve this matter informally through the provision of technical assistance to CVS. To that
end, OCR has enclosed material explaining the Privacy Rule provisions related to Incidental
Uses and Disclosures, Reasonable Safeguards, and the Minimum Necessary requirement.

You are encouraged to review these materials closely and to share them with your sta?? as part of
the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your
workforce. You are also encouraged to assess and determine whether there may have been an
incident of noncompliance as alleged by the complainant in this matter, and, if so, to take the
steps necessary to ensure such noncompliance does not occur in the fauna. Please contact OCR
if you need further information regarding the allegations in this matter. Should OCR receive a
similar allegation of noncompliance against CVS in the future, OCR may initiate a formal
investigation of that matter.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were renewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Elizabeth Benson, Investigator, at
(215) 861-4427 (Voice) or (215) 861-4440 (TDD).

bare J. Holland
Regional Manager

Enclosures: Incidental Disclosures
Reasonable Safeguards
Minimum Necessary

 

gem DEPARTMENT on HEALTH at HUMAN OFFICE on THE SECRETARY

3 voice? (215} 861-4441 Of?ce for Civil Rights, Region 
- TDD (215) 861-4440 150 5. Independence Mall 1West
Mu FAX (215) 361-4431 Public Ledger Building, Suite 372

William: Philadelphia, PA 19106-3499

R'efereme: 152410
Investigator: Elizabeth Banson
Contact Telephone: 215861-442?

Iiiebruary 22, 2013

 



 

 

 

Our Transaction number: 03-13-152410


 

 

 



 

- On December 04, 2012, the US. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), Region 3 received your complaint alleging that the CVS located at 2400
Ammingo Avenue, Philadelphia, has violated the Federal Standards for Privacy of Individually
Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy
Rule). Speci?cally, you allege that during a visit to the CVS Pharmaeynn July 21, 2012, your
full driver?s license number was mitten next to your prescription information on the pharmacy
log that customer?s are required to sign. This allegation could re?ect a violation of 45 C.F.R. 
16450201) and 

Thank you for bringing this matter to attention. Your complaint plays an integral part in
enforcement efforts. -

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

The Privacy Rule permits certain incidental uses and disclosures of protected health information
(PHI) that occuras a by-product of anotzter permissible or required use or disclosure of PHI, as
long as the covered entity has applied reasonable safeguards and implemented the minimum
necessary standard, where applicable, with respect to the primary use or disclosure. See 45
C.F.R. For example, the Privacy Rule permits covered health care providers
to share PHI for ureatment purposes without patient authorization as long as they use reasonable
safeguards when doing so. These safeguards may vary depending on the mode _cf
communication used. For example, when discussing patient health information orally with
another provider in proximity of others, a doctor may be able to reasonably safeguard the
information by lowering hisfher voice.

We have care?tlly reviewed your complaint against the CVS Pharmacy located at 2400
Aramingo Avenue, Philadelphia, and have determined to resolve this matter informally through
the provision of technical assistance to the covered entity. Should OCR receive a similar
allegation of noncompliance against the covered entity in the future, OCR may  a formal
investigation of that matter.

Based on the foregoing, OCR is closing this case without ?thher action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that-identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

Ifyou have any questions regarding this matter, please contact Elizabeth Benson, Investigator, at
215-361-4427 (Voice) or 215-861-4430 (TDD).

Sincerely,

.?wmwe

Barbara I. Holland
Regional Manager