has.?

OFFICE OF THE 
(1er for Civil Rights, Region
233 N. Michigan Ave, Suite 24
Chicago, IL 60601

DEPARTMENT OF HEALTH HUMAN SERVICES
Voice - {312) ssazass

roe - (s12) ass-sass

(FAX) (312} ass-1307

June 15, 2012

 

 



 

 

Islam Iv. Pharmacy

OCR Transaction Number: 12-136225

Deal. 

On December 2, 2011, the US. Department of Health and Human Services (HHS), Of?ce
Civil Rights (OCR), Region V, received your complaint alleging that CVS Pharmacy (CV3),

Re:

 

 
 
   
  
  
 
 
    

(PHI) (tie, the name of medication that had been ?lled at the pharmacy) to your soon-to-be
husband. This allegation could re?ect a violation of 45 CPR. 164.502(a) and 16451003).

enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces
Federal civil rights laws which prohibit discrimination in the delivery of health and 
services because of race, color, national origin, disability, age, and under certain circumstanc
sex and religion.

A covered entity may not use or disclose protected health information except as permitted 
required by the Privacy Rule. As long as an individual does not object, a covered entity is
allowed to share or discuss with the individual?s family, friends, or other persons identi?ed 
the individual the protected health information that is directly relevant to such perso ?s
involvement with the individual?s care or payment for care. The covered entity may ask 
individual?s permission, may tell the individual that the covered entity plans to discuss
information and give the individual an opportunity to object, or may decide, using the cove
entity?s professional judgment, that the individual does not object. However, in any of
cases, the covered entity may discuss the information that the person involved needs
know about the individual?s care or payment for their care.

We have carefully reviewed your complaint against CVS and have determined to resolve this
matter informally through the provision of technical assistance to CVS. Should OCR receive a

 

 

 

Page 2

similar allegation of noncompliance against CVS in the future, OCR may initiate a formal
investigation of that matter.

 

Based on the foregoing, OCR is closing this case without further action, effective the date of '3
letter. determination as stated in this letter applies only to the allegations in 's
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and 0 er
information about this case upon request by the public. In the event OCR receives sue a
request, we will make every effort, as permitted by law, to protect information that identi es
individuals or that, if released, could constitute a clearly unwarranted invasion of perso
privacy.

If you have any questions regarding this matter, please contact Abby Bonjean, OCR Investigator, .
at (312) 886-5895 or (312) 353-5693 (TDD).

Sincerely,
My


Celeste H. Davis
Regional Manager

 

 

 

y?m'w DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY
3 Voice - {312) 336-2359 Office for Civil Rights, Region 
i TDD - (312) 353-5693 233 N. Michigan Ave, Suite 24-!
is (FAX) - (312) 333-13c? Chicago, 60601





June 15,2012



Privacy Officer

CVS Pharmacy

1 CVS Drive
Woonsocket, RI 02895

 

Re:  V.  
OCR Transaction Number: 12- 1 36225
(bite)er
Deaf this)

 

 

 

 

On December 2, 2011, the US. Department of Health and Human Services (HHS), Of?ce 3r
Civil Rights (OCR), Region V, received a complaint ?led by Michelle 
complainant, alleging that CVS Pharmacy (CVS), the covered entity, has violated the Feds
Standards for Privacy of Individually Identi?able Health Information (45 CPR. Parts 160

164, Subparts A and E, the Privacy Rule). Speci?cally, - leges that, on Novem
27, 2011, a pharmacy represen 'v located at 14372 Snow Road in Brook 
Ohio, impermissiny disclosed {biiwmmici protected health information (PHI) to her soc -
tc-be err-husband. This allegation could re?ect a violation of 45 164.502(a)

16451003).

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces
Federal civil rights laws which prohibit discrimination in the delivery of health and 
services beeause of race, color, national origin, disability, age, and under certain circtunstance
sex and religion.

  
 
  
    
  
 
 
   
  
  
 

 

 

 

Pursuant to the Privacy Rule, a covered entity may not use or disclose PHI except as permitted 
required by the Privacy Rule. As long as an individual does not object, a covered entity
allowed to share or discuss the individual?s health information with the individualist famil
friends, or others involved in the individual?s care or payment for their care. The covered enti
may ask the individual?s pennission, may tell the individual that the covered entity plans
discuss the information and give the individual an opportunity to object, or may decide, using
covered entity?s professional judgment, that the individual does not object. However, in any
these cases, the covered entity may discuss the information that the person involved he
to know about the individual?s care or payment for their care.

The minimum necessary provision of the Privacy Rule also requires the covered entity to [i
access to protected health information by identifying the persons or classes of persons within th
covered entity who need access to the information to carry out their job duties, the categories
types of protected health information needed, and conditions appropriate to such access.

 

 

 

Page 2

Finally, a covered entity must provide a process for individuals to make complaints concen??h?
the covered entity?s policies and procedures required by the Privacy Rule or its compliance
such policies and procedures or with the requirements of the Privacy Rule. 45 CPR. 164.5 30



In this matter, the complainant alleges that the complainant's PHI was impermissiny disclo
to a member of the complainant?s family or to an acquaintance of the complainant or that
complainant?s PHI was otherwise impermissiny used by an employee of CVS. Pursuant to ts
authority under 45 CPR. 160.304(a) and OCR has determined to resolve this ma

 

  
  
  
   
 

material explaining the Privacy Rule provisions related to Disclosures to Family and Friends,
Minimum Necessary Requirement, and Reasonable Safeguards.

It is our expectation that you will review these materials closely and share them with your

may have been an incident of noncompliance as alleged by the complainant in this matter, and 
so, to take the steps necessary to ensure such noncompliance does not occur in the future. Pl

OCR receive a similar allegation of noncompliance against CVS in the future, OCR may initi
a formal investigation of that matter.

Based on the forgoing, OCR is closing this case without ?irther action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

 

Under the Freedom of Information Act, we may be required to release this letter and 
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identif
individuals or that, if released, could constitute a clearly unwarranted invasion of perso
pnvacy.

If you have any questions regarding this matter, please contact Abby Bonjean, OCR Investigator,
at (312) 886-5895 or (312) 353-5693 (TDD).

Sincerely,
. M2451 
Celeste H. Davis

Regional Manager

Enclosures: Disclosures to Family and Friends
The Minimum Necessary Requirement
Reasonable Safeguards

 

 

 

Page 3

DISCLOSURES TO FRIENDS AND FAMILY
45 can. 16451003)

 

  

The Privacy Rule does not require a health care provider or health plan to share infonnation
a patient?s family or friends, unless they are the patient?s personal representatives. The law (1
permit providers and plans to share information with a patient?s family or friends in ca
circumstance. A health care provider or health plan may share relevant information with fam 1y
members or friends involved in the patient?s health care or payment for the patient?s health 
if the patient tells the provider or plan that it can do so, or if the patient does not object to Shari 
of the information. For example, if the patient does not object, the patient?s doctor could 
with the friend who goes with the patient to the hospital or a family member who pays the
patient?s medical bill.

A provider or plan may also share relevant information with these persons if, using its
professional judgment, it believes that the patient does not object. For example, if a patient
sends a friend to pick up your prescription for the patient, the phannacist can assume that the
patient does not object to their being given the medication. When the patient is not there or is
injured and cannot give their permission, a provider may share information with these persons
when it decides that doing so would be in the patient?s best interest.

Frguentlv Asked Questions

Q: Does the HIPAA Privacy Rule permit a doctor to discuss a patient?s health status,
treatment, or payment arrangements with the patient?s family and friends?

 

A: Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) speci?cally permits cove 
entities to share information that is directly relevant to the involvement of a spo 
family members, friends, or other persons identi?ed by a patient, in the patient?s care 
payment for health care. If the patient is present, or is otherwise available prior to 
disclosure, and has the capacity to make health care decisions, the covered entity 
discuss this information with the family and these other persons if the patient agrees 
when given the opportunity, does not object. The covered entity may also share rele 
information with the family and these other persons if it can reasonably infer, based on
their professional judgment, that the patient does not object. Under these circumstances,
for example:

a A doctor may give information about a patient?s mobility limitations to a friend driving
the patient home from the hospital.
A hospital may discuss a patient?s payment options with her. adult daughter.
A doctor may instruct a patient?s roommate about proper medicine dosage when she
comes to pick up her friend from the hospital.

A physician may discuss a patient?s treatment with the patient in the presence of a friend
when the patient brings the friend to a medical appointment and asks if the friend cm
come into the treatment room.

 

 

Page 4

Even when the patient is not present or it is impracticable because of emerge 
circumstances or the patient?s incapacity for the covered entity to ask the patient a at
discussing her care or payment with a family member or other person, a covered ent ty
may share this information with the person when, in exercising professional judgment it
determines that doing so would be in the best interest of the patient. See 45 
Thus, for example:

in A surgeon may, if consistent with such professional judgment, inform a patient?s spou re,
who accompanied her husband to the emergency room, that the patient has suffered a
heart attack and provide periodic updates on the patient?s progress and prognosis.
A doctor may, if consistent with such professional judgment, discuss an incapacitated
patient?s condition with a family member over the phone.

 

In addition, the Privacy Rule expressly permits a covered entity to use professio
judgment and experience with common practice to make reasonable inferences about
patient?s best interests in allowing another person to act on behalf of the patient to pi 
up a ?lled prescription, medical supplies, X-rays, or other similar forms of pro
health information, For example, when a person comes to a pharmacy requesting to pi it
up a prescription on behalf of an individual he identi?es by name, a pharmacist, based 
professional judgment and experience with common practice, may allow the person to
so.

  

Q: If the patient is not present or is incapacitated, may a health care provider still
share the patient?s health information with family, friends, or others involved in
patient?s care or payment for care?

 

    
 
  
  
 

A: Yes. If the patient is not present or is incapacitated, a health care provider may share 
patient?s information with family, friends, or others as long as the health care provid 
determines, based on professional judgment, that it is in the [west interest of the patien .
When someone other than a friend or family member is involved, the health care provid
must be reasonably sure that the patient asked the person to be involved in his or her
or payment for care. The health care provider may discuss only the information that 
person involved needs to know about the patient?s care or payment. Here are so 
examples:

A surgeon who did emergency surgery on a patient may tell the patient?s spouse abo 
the patient?s condition while the patient is unconscious.

- A pharmacist may give a prescription to a patient?s ?'iend who the patient has sent to pi
up the prescription.

A hospital may discuss a patient?s bill with her adult son who calls the hospital wi
questions about charges to his mother?s account. I

A health care provider may give information regarding a patient?s drug dosage to
patient?s health aide who calls the provider with questions about the particul
prescription. 

BUT:

 

 

 

Page 5

a A nurse may n_ot tell a patient?s ?'iend about a past medical problem that is unrelated to

the patient?s current condition.

0 A health care provider is n_ot required by HIPAA to share a patient?s information wig
the patient is not present or is incapacitated, and can choose to wait until the patient

an opportunity to agree to the disclosure.

HIPAA Privacy Rule Disclosures to a Patient?s Family, Friends, or Others Involved in the
Patient?s Care or Payment for Care

 

Family Member or Friend

Other Persons

 

Provider may disclose relevant
information if the provider
does one of the following:

(1) Obtain the patient?s

Provider may disclose relevant

information if the provider

does one of the following:
(1) Obtain the patient?s

agreement; agreement;
(2) Gives the patient an (2) Gives the patient an
opportunity to object opportunity to object
Patient is present and has and the patient does and the patient does
the capacity to make health not object; not object;
care decisions (3) Decides from the (3) Decides from the
circumstances, based circumstances, based
on professional on professional
judgment, that the judgment, that the
patient does not object patient does not object
Disclosure may be made in Disclosure may be made in
person, over the phone, or in person, over the phone, or in
writing writing

 

 

Patient is not present or is
incapacitated

 

Provider may disclose relevant
information if, based on
professional judgment, the
disclosure is in the patient?s
best interest.

Disclosure may be made in
person, over the phone, or in
writing.

Provider may use professional
judgment and experience to
decide if it is in the patient?s
best interest to allow someone

 

Provider may disclose relevant
information if the provider is
reasonably sure that the

patient has involved the

person in the patient?s care
and in his or her professional
judgment, the provider
believes the disclosure to be in
the patient?s best interest.

Disclosure may be made in
person, over the phone, or in

Provider may use professional
judgment and experience to
decide if it is in the patient?s

 

 

 

 

 

 

Page 6

 

to pick up ?lled prescriptions, best interest to allow someone
medical supplies, X-rays, or to pick up ?lled prescription
other similar forms of health medical supplies, X?rays, or
information for the patient. other similar forms of health:
information for the patient.

3

 

 

 

 

THE MINIMUM NECESSARY REQUIREMENT
45 C.F.R. 164.502(b) and 164.514(d)

Background

 

   
  

The minimum necessary standard, a key protection of the HIPAA Privacy Rule, is derived
con?dentiality codes and practices in common use today. It is based on sound current practi
that protected health information should not be used or disclosed when it is not necessary
satisfy a particular purpose or carry out a fmetion. The minimum necessary standard req 
covered entities to evaluate their practices and enhance safeguards as needed to li
unnecessary or inappropriate access to and disclosure of protected health information.
Privacy Rule?s requirements for minimum necessary are designed to be suf?ciently ?exible to
accommodate the various circumstances of any covered entity.

How the Rule Works

The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or
disclosure of, and requests for, protected health information to the minimum necessary Jo
accomplish the intended purpose. The minimum necessary standard does not apply to 
following:

Disclosures to or requests by a health care provider for treatment purposes.

Disclosures to the individual who is the subject of the information.

Uses or disclosures made pursuant to an individual?s authorization.

Uses or disclosures required for compliance with the Health Insurance Portability and

Accountability Act (HIPAA) Administrative Simpli?cation Rules.

- Disclosures to the Department of Health and Human Services (HHS) when disclosure of
information is required under the Privacy Rule for enforcement purposes.

it Uses or disclosures that are required by other law.



The implementation speci?cations for this provision require a covered entity to develop and
implement policies and procedures appropriate for its own organization, re?ecting the entity 3
business practices and workforce. While guidance cannot anticipate every question or fac
application of the minimum necessary standard to each speci?c industry context, where it won
be generally helpful we will seek to provide additional clari?cation on this issue in the future.
addition, the Department will continue to monitor the workability of the minimum neces
standard and consider proposing revisions, where appropriate, to ensure that the Rule does 
hinder timely access to quality health care.

 

 

 

 

Page 7'

Uses and Disclosures of, and Requests for, Protected Health Information

For uses of protected health information, the covered entity?s policies and procedures must
identify the persons or classes of persons within the covered entity who need access to the
information to carry out their job duties, the categories or types of protected health informs 
needed, and conditions appropriate to such access. For example, hospitals may implem nt
policies that permit doctors, nurses, or others involved in treatment to have access to the on re
medical record, as needed. Case-by-case review of each use is not required. Where the en re
medical record is necessary, the covered entity?s policies and procedures must state so explic' ly
and include a justi?cation. For routine or recurring requests and disclosures, the policies

procedures may be standard protocols and must limit the protected health information disclo
or requested to that which is the minimum necessary for that particular type of disclosure or
request. Individual review of each disclosure or request is not required. For non-rou
disclosures and requests, covered entities must develop reasonable criteria for determining
limiting the disclosure or request to only the minimum amount of protected health informati
necessary to accomplish the purpose of a non-routine disclosure or request. Non-re 
disclosures and requests must be reviewed on an individual basis in accordance with th
criteria and limited accordingly. Of course, where protected health information is disclosed to, I
requested by, health care providers for treatment purposes, the minimum necessary standard 
not apply.

 

  
   
 
   
  

Reasonable Reliance

in certain circumstances, the Privacy Rule permits a covered entity to rely on the judgment of
the party requesting the disclosure as to the minimum amount of information that is needed. Such
reliance must be reasonable under the particular circumstances of the request. This reliance is
permitted when the request is made by:

a A public of?cial or agency who states that the information requested is the minim
necessary for a purpose permitted under 45 CFR 164.512 of the Rule, such as for pug;
health purposes (45 CFR 

- Anothercovered entity.

0 A professional who is a workforce member or business associate of the covered entity
holding the information and who states that the information requested is the minimum
necessary for the stated purpose.

- A researcher with appropriate documentation from an Institutional Review Board (IRB)
or Privacy Board.

The Rule does not require such reliance, however, and the covered entity always 
discretion to make its own minimum necessary determination for disclosures to which 
standard applies.

Frequently Asked Questions

Q: How are covered entities expected to determine what is the minium necessary
information that can be used, disclosed, or requested for a particular purpose?

 

 

Page 8

The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit
use, disclosure of, and requests for protected health information to the minimum
necessary to accomplish the intended purpose. To allow covered entities the ?exibility to
address their unique circumstances, the Rule requires covered entities to make their own
assessment of what protected health information is reasonably necessary for a particu lar
purpose, given the characteristics of their business and workforce, and to implem
policies and procedures accordingly. This is not an absolute standard and covered enti
need not limit information uses or disclosures to those that are absolutely needed to se
the propose. Rather, this is a reasonableness standard that calls for an approach consist
with the best practices and guidelines already used by many providers and plans today 0
limit the unnecessary sharing of medical information.

 

  
  
  
  
 






The minimum necessary standard requires covered entities to evaluate their practices
enhance protections as needed to limit unnecessary or inappropriate access to protec 
health information. It is intended to re?ect and be consistent with, not overri e,
professional judgment and standards. Therefore, it is expected that covered entities
utilize the input of prudent professionals involved in health care activities wh 11
developing policies and procedures that appropriately limit access to personal he
information without sacrificing the quality of health care.

Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, or request of In
entire medical record? If not, are case?by?ease justifications required each time 
entire medical record is disclosed?

 

No. The Privacy Rule does not prohibit the use, disclosure, or request of an en 
medical record; and a covered entity may use, disclose, or request an entire medi 1
record without a case-by-case justi?cation, if the covered entity has documented in 
policies and procedures that the entire medical record is the amount reasonably necess
for certain identi?ed purposes.

For uses, the policies and procedures would identify those persons or classes of person It
the workforce that need to see the entire medical record and the conditions, if any, 
are appropriate for such access. Policies and procedures for routine disclosures 
requests and the criteria used for non-routine disclosures and requests would identify 
circumstances under which disclosing or requesting the entire medical record is
reasonably necessary for particular purposes. The Privacy Rule does not require that a
justi?cation be provided with respect to each distinct medical record.

Finally, no justi?cation is needed in those instances where the minimum necessary
standard does not apply, such as disclosures to or requests by a health care provider for
treatment purposes or disclosures to the individual who is the subject of the protected
health information.

 

In limiting access, are covered entities required to completely restructure existi

work?ow systems, including redesigning of?ce space and upgrading ccmputl?
systems, in order to comply with the IIEPAA Privacy Rule's minimum 
requireents?

 

 

 

Page 9

A: No. The basic standard for minimum necessary uses requires that covered entities mite
reasonable efforts to limit access to protected health information to those in
workforce that need access based on their roles in the covered entity.

 

The Department generally does not consider facility redesigns as necessary to meet
reasonableness standard for minimum necessary uses. However, covered entities
need to make certain adjustments to their facilities to minimize access, such as isolat'
and locking ?le cabinets or records rooms, or providing additional security, such
passwords, on computers maintaining personal information.

  
   
 
 
  
   
 
  

Covered entities should also take into account their ability to con?gure their rec
systems to allow access to only certain ?elds, and the practicality of organizing syste
to allow this capacity. For example, it may not be reasonable for a small, solo practitio
who has largely a paper-based records system to limit access of employees with cc
functions to only limited ?elds in a patient record, while other employees have access
the complete record. In this case, appropriate training of employees may be suf?cie
Alternatively, a hospital with an electronic patient record system may reasona
implement such controls, and therefore, may choose to limit access in this manner to
comply with the Privacy Rule.

REASONABLE SAFEGUARDS
45 era. 164.530(c)

A covered entity must have in place appropriate administrative, technical, and physical
safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as
that limit incidental uses or disclosures. See 45 C.F.R It is not expected that a
covered entity?s safeguards guarantee the privacy of protected health information from any 
all potential risks. Reasonable safeguards will vary from covered entity to covered enti
depending on factors, such as the size of the covered entity and the nature of its business.
implementing reasonable safeguards, covered entities should analyze their own needs
circumstances, such as the nature of the protected health information it holds, and assess
potential risks to patients? privacy. Covered entities should also take into account the potenti 1
effects on patient care and may consider other issues, such as the ?nancial and administrati
burden of implementing particular safeguards.

 

  
    

Many health care providers and professionals have long made it a practice to ensure reasonab
safeguards for individuals? health information for instance:

By speaking quietly when discussing a patient?s condition with family members in a
waiting room or other public area;

- By avoiding using patients? names in public hallways and elevators, and posting signs to
remind employees to protect patient con?dentiality;

- By isolating or locking ?le cabinets or records rooms; or

a By providing additional security, such as passwords, on computers maintaining personal
information.

 

 

 

Page 10

 

Protection of patient con?dentiality is an important practice for man};r health care and hedth

information management professionals; covered entities can buiid upon those codes of cond1
to develop the reasonable safeguards required by the Privacy Rule.

let