is?; 5m?. i 5 he, DEPARTMENT OF HEALTH 3: HUMAN SERVICES Voice - {s12} ass-2359 TDD - (312) seasons . {312) ass-130? MW OFFICE OF THE SECRETARY Office for Civil Rights, Region 233 N. Michigan Ave, Suite 240 Chicago, IL 6060] January 17,2012 {bli?llbliillcl {bli?llbliillcl Coordinator-Privacy Investigations CVS PharmachCaremark 1 CVS Drive Woonsocket, RI 02395 {bli?llbliil Re: v. CVS Pharmacy OCR Transaction Number: 1 1?124802 Dear {bhfillbliilicl On February 8, 2011, the U.S. Department of Health and Human Services HHS), Of?ce for Civil Rights (OCR), Region V, received a complaint ?led by the complainant, and alleging that CVS Pharmacy the covered entity, has violated the Federal Standards for Privacy of Individually Identifiable Health Information andfor the Security Standards for the Protection of Electronic Protected Health Information (45 CPR. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules). Speci?cally, {blislibliilicl allees that CVS impermissiny disclosed the protected health information (PHI) of her husband, to another individual when CVS sold his prescription medication to another individual. This allegation could re?ect violations of 45 CPR. 164.502(a) and OCR enforces the Privacy and Security Rules, and Breach Notification Rule, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. OCR has reviewed the matter raised in the complaint. August 26, 2011, OCR noti?ed CVS of this complaint. On September 30, 2011, CVS provided a written response to OCR, along with supporting documents. Based on our review of the facts and circumstances of this matter, we have determined that all of the issues raised in this matter at the time it was filed have now been resolved by the voluntary compliance actions of the CE For her part, {blmlibliilm informed OCR that she went to CVS to pick up her husband?s prescription and was informed that the prescription had already been picked. After some discussion with pharmacy staff, it was determined that the prescription was dispensed to another individual. Page 2 In its res onse to OCR, CVS stated it conducted an intemal investigation of this matter at the time Iibii?libimm Ibrought the incident to their attention. CVS reported that the patient who received Iibll?ilxibilillcl prescription returned it immediately. The Privacy Rule mandates that a covered entity may not use or disclose PHI, except as permitted or required by the Privacy Rule. 45 CPR. 16450201). The Privacy Rule also provides that a covered entity must implement policies and procedures with respect to uses and disclosures of PHI, and have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. 45 CPR. In this case, alleges that CVS impermissiny disclosed the protected health information (PHI) of her husband. action did not comport with the requirements of the Privacy Rule. Accordingly, to resolve the issues raised in this matter, CVS took the following voluntary actions: 1) apologized at the time the incident; 2) reviewed HIPAA policies and procedures; 3) retrained staff on policies and procedures regarding ?lling and dispensing prescriptions and patient veri?cation. During the course of this investigation, OCR reviewed the relevant privacy policies and procedures that CVS submitted to OCR. These policies and procedures generally comport with the requirements of the Privacy Rule. Based on the foregoing, OCR is closing this case without further action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Wandah Hardy, Investigator, at (312) 353-9774 or (312) 353-5693 (TDD). Sincerely, gm?? Celeste H. Davis Acting Regional Manager