OFFICE OF THE SECRETA 
Of?ce for Civil Rights, Region
233 N. Michigan Ave, Suite 2

Chicago. IL 6060]

DEPARTMENT OF HEALTH HUMAN SERVICES
Voice - .1312) seszsse. (800} 363-1019

TDD - (312} 353-5693, {800) 

(FAX) - (312} 386-130?

June 19, 2012

 



 

 

 

 

CVS Pharmacy
OCR Transaction Number: 12-136274

Dear {bli?libl??l 

On December 6, 2011, the U.S. Department of Health and Human Services (HHS), Of?ce Tr
Civil Rights (OCR), Region received your complaint alleging that CVS Pharmacy (CV5), 
covered entity, has violated the Federal Standards for Privacy of Individually Identi?able
Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule).

Speci?cally, you allege that,-on December 3, 2011, and on multiple previous occasions, th
pharmacist at CVS Store #806? located at 31250 Beck Road in Novi, MI disclosed your
protected health information (PHI) without your authorization to do so when the pharmaci:
loudly stated the name of your prescription, ?Valtrex?, when you were speaking with him in
the store and in the drive-thru pick-up window while other CVS customers were present ar
within hearing distance. This allegation could reflect violations of 45 C.F.R. 
and 

Re:

113'





Thank you for bringing this matter to OCR's attention. Your complaint plays an integral part
in OCR's-enforcement efforts. 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex
and religion.

The Privacy Rule permits certain incidental uses and disclosures of PHI that occur as a by-
product of another permissible or required use or disclosure of PHI, as long as the covered
entity has applied reasonable safeguards and implemented the minimum necessary
standard, where applicable, with respect to the primary use or disclosure. 45 C.F.R. 
For example, the Privacy Rule permits covered health care providers to:
share PHI for treatment purposes without patient authorization as long as they use
reasonable safeguards when doing so. These safeguards may vary depending on the mode
of communication used. For example, when discussing patient health information orally
with another provider in proximity of others, a doctor may be able to reasonably safeguardl
the information by lowering hisfher voice.

We have carefully reviewed your complaint against CVS and have determined to resolve this
matter informally through the provision of technical assistance to CVS. Should OCR receive
a similar allegation of noncompliance against CVS in the future, OCR may initiate a formal
investigation of that matter.

 

 

 

 

Based on the foregoing, OCR is closing this case without further action, effective the date
this letter. determination as stated in this letter applies only to the allegations in 
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and othen
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that

identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of?
personal privacy.

If you have any questions regarding this matter, piease contact Nicholas Brescia,
Investigator, at (312) 886-5079 (Voice) or (312) 353-5693 (TDD).

Sincerely,

 

Celeste H. Davis
Regional Manager

., ?ag-4.

 

 

 

DEPARTMENT OF HEALTH 8; HUMAN SERVICES OFFICE OF THE SECRETA

 

a! Ill-?Tilt?

voice - (312) ass-2359. (coo) 363-1019 Of?ce for Civil Rights, Region!
Too - (312} 353-5693, {300} 531759? 233 N. Michigan Ave, Suite 24
- (312} 885-130? Chicago, 60601
view

?use

June 19, 2012

{bli?llbliilicl

Privacy Officer

CVS Pharmacy

1 CVS Drive
Woonsocket, RI 02895

 

Re: CVS Pharmacy
OCR Transaction Number: 12?136274

Dear {bli?llbl 

On December 6, 2011, the U.5. Department of Health and Human Services (HHS), Of?ce for
Civii Rights (OCR), Region received a complaint ?led bythe
compiainant, alleging that CV5 Pharmacy (CV5), the cove - - - ated the
Federal Standards for Privacy of Individually Identi?able Health I . I (45 Parts
160 and 164, Suboarts A and E, the Privacy Rule). Speci?cally,alieges that, on:
December 3, 2011, and on multiple previous occasions, the pharmacist at CVS Store #806?
located at 31250 Beck Road in Novi, MI disclosed her protected health information (PHI)
without her authorization to do so when the pharmacist loudly stated the name of her
prescription, ?Valtrex?, when she was speaking with him in the store and in the drive-thru
pick-up window while other CV5 customers were present and within hearing distance. This
allegation could re?ect a violation of 45 C.F.R. and
 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex
and religion.

The Privacy Rule permits certain incidental uses and disclosures of PHI that occur as a by-
product of another permissible or required use or disclosure of PHI, as long as the covered
entity has applied reasonable safeguards and implemented the minimum necessary
standard, where applicable, with respect to the primary use or disclosure. Si 45 C.F.R. 
For example, the Privacy Rule permits covered health care providers to
share PHI for treatment purposes without patient authorization as long as they use
reasonable safeguards when doing so. These safeguards may vary depending on the mode
of communication used. For example, when discussing patient health information orally
with another provider in proximity of others, a doctor may be able to reasonably safeguard
the information by lowering his/her voice.

In this matter, the complainant alleges the incidental use or disclosure of PHI was not
permissible, either because reasonable safeguards were not in place to prevent the use or
disclosure andfor because the minimum necessary standard was not implemented when it
should have been. Pursuant to its authority under 45 C.F.R. 160.304(a) and OCR
has determined to resolve this matter informally through the provision of technical
assistance to CV5. To that end, OCR has enclosed material explaining the Privacy Rule

 

 

provisions related to Incidental Uses and Disclosures, Reasonable Safeguards, and the
Minimum Necessary requirement.

You are encouraged to review these materials closely and to share them with your staff as
part of the Health Insurance Portability and Accountability Act (HIPAA) training you providi
to your workforce. You are also encouraged to assess and determine whether there may

have been an incident of noncompliance as alleged by the complainant in this matter, and, 

so, to take the steps necessary to ensure such noncompliance does not occur in the future;
Please contact OCR if you need further information regarding the allegations in this matter
Should OCR receive a similar allegation of noncompliance against CV5 in the future, OCR
may initiate a formal investigation of that matter.

Based on the foregoing, OCR is closing this case without further action, effective the date
this letter. OCR's determination as stated in this letter applies only to the allegations in th
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that

identi?es individuals or that, if released, couid constitute a clearly unwarranted invasion of
personal privacy. 

If you have any questions regarding this matter, please contact Nicholas Brescia,
Investigator, at (312) 886-50713 (Voice) or (312) 353-5693 (TDD).

Sincerely,

Celeste H. Davis
Regional Manager

I.

Incidental Disclosures
Reasonable Safeguards
Minimum Necessary

Enclosures:

 

11'




 

 

 

OCR HIPAA P?rivae I
December 5, I

INCIDENTAL USES AND DISCLOSURES
[45 CFR 

Background

Many customary health care and practices play an important or even
essential role in ensuring that individuals receive prompt and effective heaith care. Due to the
nature of these communications and practices, as well as the various environments in which
individuals receive health care or other services from covered entities, the potential exists for an
individual?s health information to be disclosed incidentally. For example, a hospital visitor may
overhear a provider?s con?dential conversation with another provider or a patient, or may
glimpse a patient?s information on a sign?in sheet or nursing station whiteboard. The HIPAA
Privacy Rule is not intended to impede these customary and essential communications and
practices and, thus, does not require that all risk of incidental use or disclosure be eliminated to
satisfy its standards. Rather, the Privacy Rule permits certain incidental uses and disclosures of
protected heaith information to occur when the covered entity has in place reasonable safeguardsl
and minimum necessary policies and procedures to protect an individual ?s privacy.

How the Rule Works

general Provision. The Privacy Rule permits certain incidental uses and disclosures that
occur as a by-product of another permissible or required use or disclosure, as long as the covered
entity has applied reasonable safeguards and implemented the minimum necessary standard,
where applicable, with respect to the primary use or disclosure. See 45 CFR 
An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be
prevented, is limited in nature, and that occurs as a result of another use or disclosure that is
permitted by the Rule. However, an incidental use or disclosure is not permitted if it is a by-
product of an underlying use or disclosure which violates the Privacy Rule.

Reasonable Safemds. A covered entity must have in place appropriate administrative,
technical, and physical safeguards that protect aminst uses and disclosures not permitted by the
Privacy Rule, as well as that limit incidental uses or disclosures. See 45 CFR It is
not expected that a covered entity?s safeguards guarantee the privacy of protected health
information from any and all potential risks. Reasonable safeguards will vary from covered
entity to covered entity depending on factors, such as the size of the covered entity and the nature
of its business. In implementing reasonable safeguards, covered entities should analyze their
own needs and circumstances, such as the nature of the protected health information it holds, and
assess the potential risks to patients? privacy. Covered entities should also take into account the
potential effects on patient care and may consider other issues, such as the financial and
administrative burden of implementing particular safeguards.

 

vi?llsl??xt?li'l

OCR PrivncJ
December 3, 290 i

Many health care providers and professionals have long made it a practice to ensure
reasonable safeguards for individuals? health information for instance:

a By speaking quietly when discussing a patient?s condition with famiiy members in
a waiting room or other public area;

- By avoiding using patients' names in public hallways and elevators, and posting
signs to remind employees to protect patient con?dentiality;

- By isoiating or locking ?le cabinets or records rooms; or

- By providing additional security, such as passwords, on computers maintaining
personal information.

Protection of patient con?dentiality is an important practice for many health care and
health information management professionals; covered entities can build upon these codes of
conduct to develop the reasonable safeguards required by the Privacy Rule.

Minimum Necessagg. Covered entities also must implement reasonable minimum
necessary policies and procedures that limit how much protected health information is used,
disclosed, and requested for certain purposes. These minimum necessary policies and procedures
also reasonably must limit who within the entity has access to protected health information, and
under what conditions, based on job responsibilities and the nature of the business. The
minimum necessary standard does not apply to disclosures, including oral disclosures, among
health care providers for treatment purposes. For example, a physician is not required to apply
the minimum necessary standard when discussing a patient?s medical chart information with a
specialist at another hospital. See 45 CF 164.502(b) and and the fact sheet and
frequently asked questions on this web site about the minimum necessary standard, for more
information.

An incidental use or disclosure that occurs as a result of a failure to apply reasonable
safeguards or the minimum necessary standard, where required, is not permitted under the
Privacy Rule.

For example:

- The minimum necessary standard requires that a covered entity limit who within
the entity has access to protected health information, based on who needs access
to perform their job duties. If a hospital employee is allowed to have routine,
unimpeded access to patients? medical records, where such access is not necessary
for the hospital employee to do his job, the hospital is not applying the minimum

IN.)

 

 

OCR HIPAA Privac
December 3, 200

necessary standard. Therefore, any incidental use or disclosure that results 
this practice, such as another worker overbearing the hosPital employee?s
conversation about a patient?s condition, would be an unlawful use or disclosure
under the Privacy Rule.

 



 

 

OCR HIPAA Privacy
December 3, 290A

INCIDENTAL USES AND DISCLOSURES
Fr uentl Asked estions

Can health care providers engage in con?dential conversations with other providersI
or with patients, even if there is a possibility that they could be overheard?

Yes. The HIPAA Privacy Rule is not intended to prohibit providers from talking to each
other and to their patients. Provisions of this Rule requiring covered entities to
implement reasonable safeguards that re?ect their particular circumstances and
exempting treatment disclosures from certain requirements are intended to ensure that
providers? primary consideration is the appropriate treatment of their patients. The
Privacy Rule recognizes that oral communications often must occur freely and quickly in
treatment settings. Thus, covered entities are free to engage in communications as
required for quick, effective, and high quality health care. The Privacy Rule also
recognizes that overheard communications in these settings may be unavoidable and
allows for these incidental disclosures.

For example, the following practices are permissible under the Privacy Rule, if reasonable
precautions are taken to minimize the chance of incidental disclosures to others who may
be nearby:

- Health care staff may orally coordinate services at hospital nursing stations.

Nurses or other health care professionals may discuss a patient?s condition over
the phone with the patient, a provider, or a family member.

A health care professional may discuss lab test results with a patient or other
provider in a joint treatment area.

- A physician may discuss a patients? condition or treatment regimen in the
patient?s semi-private room.

- Health care professionals may discuss a patient?s condition during training rounds
in an academic or training institution.

- A pharmacist may discuss a prescription with a patient over the pharmacy counter,
or with a physician or the patient over the phone.

In these circumstances, reasonable precautions could include using lowered voices or
talking apart ?'om others when sharing protected health information. However, in an

 

 

 

 

 

 

OCR HIPAA Privac
December 3, 200'?

1

emergency situation, in a loud emergency room, or where a patient is hearing impaired,
such precautions may not be practicable. Covered entities are free to engage in
communications as required for quick, effective, and high quality health care.

Does the HIPAA Privacy Rule require hospitals and doctors? of?ces to be
retro?tted, to provide private rooms, and soundproof walls to avoid any possibility
that a conversation is overheard?

No, the Privacy Rule does not require these types of structural changes he made to
facilities.

Covered entities must have in place appropriate administrative, technical, and physical
safeguards to protect the privacy of protected health information. This standard requires
that covered entities make reasonable e??orts to prevent uses and disclosures not
permitted by the Rule. The Department does not consider facility restructuring to be a
requirement under this standard.

For example, the Privacy Rule does not require the following types of structural or
systems changes:

Private rooms.
0 Soundproo?ng of rooms.
- of wireiess or other emergency medical radio communications which

can be intercepted by scanners.
- of telephone systems.

Covered entities must implement reasonable safeguards to limit incidental, and avoid
prohibited, uses and disclosures. The Privacy Rule does not require that all risk of
protected health information disclosure be eliminated Covered entities must review their
own practices and determine what steps are reasonable to safeguard their patient
information. In determining what is reasonable, covered entities should assess potential
risks to patient privacy, as well as consider such issues as the potential effects on patient
care, and any administrative or ?nancial burden to be incurred horn implementing
particular safeguards. Covered entities also may take into consideration the steps that
other prudent health care and health information professionals are taking to protect
patient privacy.

Examples of the types of adjustments or modifications to facilities or systems that may

 

 

 

OCR HIPAA Privacr
December 3, 209?

constitute reasonable safeguards are:

- Pharmacies could ask waiting customers to stand a few feet back from a counter
used for patient counseling.

In an area where multiple patient-staff communications routinely occur, use of
cubicles, dividers, shields, curtains, or similar barriers may constitute a reasonable
safeguard. For example, a large clinic intake area may reasonably use cubicles or
shield-type dividers, rather than separate rooms, or providers could add curtains 
screens to areas where discussions often occur betiveen doctors and patients or
among professionals treating the patient.

- Hospitals could ensure that areas housing patient files are supervised or locked.

May physician?s offices or pharmacists leave messages for patients at their homes,
either on an answering machine or with a family member, to remind them of
appointments or to inform them that a prescription is ready? May providers
continue to mail appointment or prescription re?ll reminders to patients? homes?

Yes. The HIPAA Privacy Rule permits health care providers to communicate with

patients regarding their health care. This includes communicating with patients at their
homes, whether through the mail or by phone or in some other manner. In addition, the
Rule does not prohibit covered entities from leaving messages for patients on their

answering machines. However, to reasonably safeguard the individual?s privacy, covered
entities should take care to limit the amount of information disclosed on the answering
machine. For example, a covered entity might want to consider leaving only its name and
number and other information necessary to con?rm an appointment, or ask the individuall
to call back.

A covered entity also may leave a message with a family member or other person who

answers the phone when the patient is not home. The Privacy Rule permits covered

entities to disclose limited information to family members, friends, or other persons

regarding an individual?s care, even when the individual is not present. However,

covered entities should use professional judgment to assure that such disclosures are in

the best interest of the individual and limit the information disclosed. See 45 CFR


In situations where a patient has requested that the covered entity communicate with him
in a con?dential manner, such as by alternative means or at an alternative location, the
covered entity must accommodate that request, if reasonable. For example, the
Department considers a request to receive mailings from the covered entity in a closed

 

 

- Maintaining patient charts at bedside or outside of exam rooms, displaying patient

 

OCR HIPAA Privac
December 20M

1

enveiope rather than by postcard to be a reasonable request that should be accommodated.
Similarly, a request to receive mail from the covered entity at a post of?ce box rather than
at home, or to receive calls at the of?ce rather than at home are also considered to be
reasonable requests, absent extenuating circumstances. See 45 CFR 16452203).

May physicians of?ces use patient sign-in sheets or call out the names of their
patients in their waiting rooms?

Yes. Covered entities, such as physician?s offices, may use patient sign-in sheets or call
out patient names in waiting rooms, so long as the information disclosed is appropriately
limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may
result ?om this practice, for example, when other patients in a waiting room hear the
identity of the person whose name is called, or see other patient names on a sign-in sheet.
However, these incidental disclosures are permitted only when the covered entity has
implemented reasonable safeguards and the minimum necessary standard, where
appropriate. For example, the sign?in sheet may not display medical information that is
not necessary for the purpose of signing in the medical problem for which the
patient is seeing the physician). See 45 CFR 

Are physicias and doctor?s of?ces prohibited from maintaining patiet medical
charts at bedside or outside of exam rooms, or from engaging in other customary
practices where the potential exists for patient information to be incidentally - a r-
diselosed to others?

No. The HIPAA Privacy Rule does not prohibit covered entities from engaging in
common and important health care practices; nor does it specify the speci?c measures
that must be applied to protect an individual?s privacy while engaging in these practices.
Covered entities must implement reasonable safeguards to protect an individual?s privacy.
In addition, covered entities must reasonably restrict how much information is used and
disclosed, where appropriate, as well as who within the entity has access to protected
health information. Covered entities must evaluate what measures make sense in their
environment and tailor their practices and safeguards to their particular circumstances.

For example, the Privacy Rule does not prohibit covered entities from engaging in the
following practices, where reasonable precautions have been taken to protect an
individual?s privacy:

names on the outside of patient charts, or di8playing patient care signs ?hi 
fall risk? or ?diabetic diet?) at patient bedside or at the doors of hospital rooms.

an]

 

 

 

OCR HIPAA Privac
December 3, 200?

-II

Possible safeguards may include: reasonably iimiting access to these areas,
ensuring that the area is supervised, escorting non-employees in the area, or
placing patient charts in their holders with identifying information facing the 
or otherwise covered, rather than having health information about the patient
visible to anyone who walks by.

Announcing patient names and other information over a facility?s public
announcement system.

Possible safeguards may include: limiting the information disclosed over the
system, such as referring the patients to a reception desk where they can receive
further instructions in a more con?dential manner.

Use of X-ray or in-patient logs, such as Whiteboards, at a nursing
station.

Possible safeguards may include: if the X-ray lighthoard is in an area generally
not accessible by the public, or if the nursing station whiteboard is not readily
visible to the public, or any other safeguard which reasonably limits incidental
disclosures to the general public.

The above examples of possible safeguards are not intended to be exclusive.
Covered entities may engage in any practice that reasonably safeguards protected
health information to limit incidental uses and disclosures.

A clinic customarily places patient charts in the plastic box outside an exam room. It
does not want the record left unattended with the patient, and physicians want the
record close by for fast review right before they walk into the exam room. Will the
HIPAA Privacy Rule allow the clinic to continue this practice?

Yes, the Privacy Rule permits this practice as long as the clinic takes reasonable and
appropriate measures to protect the patient?s privacy. The physician or other health care
professionals use the patient charts for treatment purposes. Incidental disclosures to
others that might occur as a result of the charts being left in the box are permitted, if the
minimum necessary and reasonable safeguards requirements are met. See 45 CFR
As the purpose of leaving the chart in the box is to provide the
physician with access to the medical infonnation relevant to the examination, the
minimum necessary requirement would be satis?ed. Examples of measures that could be
reasonable and appropriate to safeguard the patient chart in such a situation would be
limiting access to certain areas, ensuring that the area is supervised, escorting non-
employees in the area, or placing the patient chart in the box with the ?oat cover facing

 

 

 

ecu nrraa Privac
Decomher 3, 200?

"q

the wali rather than having protected health information about the patient visible to
anyone who walks by. Bach covered entity must evaluate what measures are reasonable
and appropriate in its environment. Covered entities may tailor measures to their
particular circumstances. See 45 CFR 

A hospital customarily displays patients? names next to the door of the hospital
rooms that they occupy. Will the HIPAA Privacy Rule allow the hospital to
continue this practice?

The Privacy Rule expiicitly permits certain incidental disclosures that occur as a by-
product of an otherwise permitted disclosure?for example, the disclosure to other
patients in a waiting room of the identity of the person whose name is called. In this
case, disclosure of patient names by posting on the wall is permitted by the Privacy Rule,
if the use or disclosure is for treatment (for example, to ensure that patient care is
provided to the correct individual) or health care operations purposes (for example, as a
service for patients and their families). The disclosure of such information to other
persons (such as other visitors) that will likely also occur due to the posting is an
incidental disclosure.

Incidental disclosures are permitted only to the extent that the covered entity has applied
reasonable and appropriate safeguards and implemented the minimum necessary standard,
where-appropriate. See 45 CPR In this case, it would appearthat' the
disclosure of names is the minimum necessary for the purposes of the permitted uses or
disclosures described above, and there do not appear to be additional safeguards that
would be reasonable to take in these circumstances. However, each covered entity must
evaluate what measures are reasonable and appropriate in its environment. Covered
entities may tailor measures to their particular circumstances.

May mental health practitioners or other specialists provide therapy to patients in a
group setting 'where other patients and family members are present?

Yes. Disclosures of protected health information in a group therapy setting are treatment
disclosures and, thus, may be made without an individual?s authorization. Furthermore,
the Privacy Rule generally permits a covered entity to disclose protected health
information to a family member or other person involved in tire individual?s care. Where
the individual is present during the disclosure, the covered entity may disclose protected
health information if it is reasonable to infer from the circumstances that the individual
does not object to the disclosure. Absent countervailing circumstances, the individual?s
agreement to participate in group therapy or family discussions is a good basis for
inferring the individual?s agreement.

 

 

 

OCR HIPAA Privacy
December 3, 2002

Are covered entities required to document incidental disclosures permitted by the
HIPAA Privacy Rule, in an accounting of disclosures provided to an individual?

No. The Privacy Rule includes a speci?c exception ??om the accounting standard for
incidental disclosures permitted by the Rule. See 45 CFR 

Do the HIPAA Privacy Rule?s provisions permitting certain incidental uses and
disclosures apply only to treatment situations or discussions among health care
providers?

No. The provisions apply universally to incidental uses and disclosures that result from
any use or disclosure permitted under the Privacy Rule, and not just to incidental uses and
disclosures resulting from treatment communications, or only to communications among
health care providers or other medical staff. For example:

- A provider may instruct an administrative staff member to bill a patient for a
particular procedure, and may be overheard by one or more persons in the waiting
room.

- A health plan employee discussing a patient?s health care claim on the phone may
be overheard by another employee who is not authorized to handle patient
infonnation. -

If the provider and the health plan employee made reasonable efforts to avoid being

overheard and reasonably limited the information shared, an incidental use or disclosure

resulting from such conversations would be permissible under the Rule.

Is a covered entity required to prevent any incidental use or disclosure of protected
health information?

No, The HIPAA Privacy Rule does not require that all risk of incidental use or disclosure
be eliminated to satisfy its standards. Rather, the Rule requires only that covered entities
implement reasonable safeguards to limit incidental uses or disclosures. See 45 CFR


ll]