sits Vic-?3, #35" Cir 0? HEALTH i {g DEPARTMENT OF HEALTH HUMAN SERVIC ES OFFICE OF THE SECRETARY . Voice - (4o4} sea-race, (800)368-1019 Of?ce for Civil Rights, Region Iv TDD - (404} 582-?384, (800) 53?-?697 61 Street, SW. (404} 562-?381 Atlanta Federal Center, Suite 16T70 .hhs. Atlanta, GA 30303-8909 December 13, 2012 {blt?llbl?'l'icl Re: (bli?i'iblmicl v. Pharmacv Store #7046 OCR Reference Number: 12-15066] Dear On August 29, 2012, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), Region IV received your complaint alleging that CVS Pharmacy Store #7046, the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). Specifically, you allege that CVS Pharmacy Store #7046 impermissiny disclosed your PHI when on August 29, 2012, a CVS workforce member discussed your PHI within earshot of others in the waiting area. This allegation could re?ect a violation of 45 C.F.R. 164.502(a) and Thank you for bringing this matter to attention. Your complaint plays an integral part in enforcement efforts. OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. The Privacy Rule permits certain incidental uses and disclosures of protected health information (PHI) that occur as a try-product of another permissible or required use or disclosure of PHI, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 C.F.R. For example, the Privacy Rule permits covered health care providers to share PHI for treatment purposes without patient authorization as long as they use reasonable safeguards when doing so. These safeguards may vary depending on the mode of communication used. For example, when discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering hisdier voice. We have care?illy reviewed your complaint against CVS and have determined to resolve this matter informally through the provision of technical assistance to CVS. Should OCR receive a similar allegation of noncompliance against CVS in the future, OCR may initiate a formal investigation of that matter, 5 Based on the foregoing, OCR is closing this case without action, effective the date of this letter. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Infon?nation Act, we may be required tel release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted bylaw, to protect info ation that identi?es individuals or that, if released, could constitute a clearly unwarranted inv ion of personal privacy. If you have any questions regarding this matter, please coniact Sonya Hana?, Investigator, at sonvahana??f?hhsgov, or (404) 562-7876 (Voice), (404) 56247884 (TDD). incerely, We lt Freeman #Regional Manager OCR Region IV swine t,sdi? DEPARTMENT OF HEALTH 8.: HUMAN SERVICES OFFICE OF THE SECRETARY Voice - (404) 562-?886, {800) 363-1019 Of?ce for Civil Rights, Region IV TDD - (404) 562?7384. (300} sat-rec? 61 Street, SW. (FAX) (404) 5824331 Atlanta Federal Center, Suite .hh ow'o Atianta, GA 30303-8909 December 18, 2012 Attn: Privacy Of?cer CVS Pharmacy Store #7046 14636 US Highway Hampstead, NC 28443 Re: {blisiibiiliicl . CVS Pharmac Store #7046 OCR Reference Number: 12-15066] Dear Privacy Of?cer: On August 29, 2012, the U.S. Department of Health and Human Services (HI-IS), Of?ce for Civil Rights (OCR), Region IV received a complaint alleging that CVS Pharmacy Store #7046 has violated the Federal Standards for Privacy of Individually Id ti?able Health Information (45 CPR. Parts 160 and 164, Subparts A and E, the Privacy Rul I). Speci?cally, the complaint alleges that CVS Pharmacy Store #7 046 impennissibly disclosed the PHI of Complainant when on August 29, 2012, a CVS workforce member, discussed Complainant?s PHI within earshot of others in the waiting This allegation could re?ect a violation of 45 C.F.R. 164.502(a) and OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil rights laws which prohibit discrimination in the deliveryof health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. The Privacy Rule permits certain incidental uses and disclosures of protected health information (PHI) that occur as a by-product of another permissible or required use or disclosure of PHI, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 C.F.R. For example, the Privacy Rule peirnits covered health care providers to share PHI for treatment purposes without patient authorization as long as they use reasonable safeguards when doing so. These safeguards may vary depending on the mode of communication used. For example, when discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering hisfher voice. In this matter, the complainant alleges the incidental use or sclosure of PHI was not permissible, either because reasonable safeguards were not iri place to prevent the use or disclosure andfor because the minimum necessary standard uias not implemented when it should have been. Pursuant to its authority under 45 C.F.R. and OCR has determined to resolve this matter informally through the provision of tee ical assistance to CVS. To that end, OCR has enclosed material explaining the Privacy Rule provisions related to Incidental Uses and Disclosures, Reasonable Safeguards, and the Mininium Necessary requirement. You are encouraged to review these materials closely and to share them with your staff as part of the Health Insurance Portability and Accountability Act (HIP training you provide to your workforce. You are also encouraged to assess and determine whether there may have been an incident of noncompliance as alleged by the complainant in this matter, and, if so, to take the steps necessary to ensure such noncompliance does not occurlin the future. Please contact OCR if you need further information regarding the allegations in matter. Should OCR receive a similar allegation of noncompliance against CVS in the fu OCR may initiate a formal investigation of that matter. Based on the foregoing, OCR is closing this case without er action, effective the date of this letter. determination as stated in this letter applies on] to the allegations in this complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required td release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted inveision of personal privacy. If you have any questions regarding this matter, please coniact Sonya Hana?, Investigator, at or (404) 5624876 (Voice), (404) 562+7884 (TDD). Sincerely, elm? EV It Freemain Regional Manang OCR Region IV Enclosures: Incidental Disclosures I Reasonable Safeguards Minimum Necessary OCR HIPAA Privacy December 3, 2W2 INCIDENTAL USES AND DISCLOSURES [45 CFR Background Many customary health care communications and practices play an important or even essential role in ensuring that individuals receive prompt arid effective health care. Due to the nature of these communications and practices, as well as the various environments in which individuals receive health care or other services from covered entities, the potential exists for an individual?s health information to be disclosed incidentallyi For example, a hospital visitor may overhear a provider?s con?dential conversation with another provider or a patient, or may glimpse a patient?s information on a sign-in sheet or nursing station whiteboard. The HIPAA Privacy Rule is not intended to impede these customary and essential communications and practices and, thus, does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Privacy Rule permits certain incidental uses and disclosures of protected health information to occur when the covered enti ty has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual?s privacy. How the Rule Works General Provision. The Privacy Rule permits certain incidental uses and disclosures that occur as a by?product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard, where applicable, with respect to the primary use or disclosure. See 45 CFR An incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of janother use or disclosure that is permitted by the Rule. However, an incidental use or disclosure is not permitted if it is a by- product of an underlying use or disclosure which violates the Privacy Rule. Reasonable Safeguards. A covered entity must have iin place appropriate administrative, technical, and physical safeguards that protect against uses aird disclosures not permitted by the Privacy Rule, as well as that limit incidental uses or disclosures. See 45 CFR It is not expected that a covered entity?s safeguards guarantee the:i privacy of protected health information from any and all potential risks. Reasonable safeguards will vary from covered entity to covered entity depending on factors, such as the size of the covered entity and the nature of its business. In implementing reasonable safeguards, covered entities should analyze their own needs and circumstances, such as the nature of the protelcted health information it holds, and assess the potential risks to patients? privacy. Covered entities should also take into account the potential effects on patient care and may consider other issue-is, such as the ?nancial and administrative burden of implementing particular safeguardsl OCR HIPAA Privacy December 3, 2032 necessary standard. Therefore, any incidental use or disclosure that results from this practice, such as another worker overheating the hospital employee?s conversation about a patient?s condition, wduld be an unlaw?il use or disclosure under the Privacy Rule. OCR Privacy December 3, 2002 emergency situation, in a loud emergency room, or lwhere a patient is hearing impaired, such precautions may not be practicable. Covered entities are free to engage in communications as required for quick, effective, and high quality health care. Does the HIPAA Privacy Rule require hospitals and doctors? of?ces to be retro?tted, to provide private rooms, and soundproof walls to avoid any possibility that a conversation is overheard? i No, the Privacy Rule does not require these types of structural changes be made to facilities. Covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health;i information. This standard requires that covered entities make reasonable e?'orts to prevent uses and disclosures not permitted by the Rule. The Department does not colnsider facility restructuring to be a requirement under this standard. 5 For example, the Privacy Rule does not require the following types of structural or systems changes: Private rooms. - Soundproo?ng of rooms. I i of wireless or other emergency niedical radio communications which can be intercepted by scanners. - of telephone systems. Covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures. The Privacy Rule does not require that all risk of protected health information disclosure be eliminated Covered entities must review their own practices and determine what steps are reasonable to safeguard their patient information. In determining what is reasonable, coviered entities should assess potential risks to patient privacy, as well as consider such issq'es as the potential effects on patient care, and any administrative or ?nancial burden to be incurred from implementing particular safeguards. Covered entities also may into consideration the steps that other prudent health care and health information professionals are taking to protect patient privacy. Examples of the types of adjustments or modi?catiohs to facilities or systems that may ?9 OCR HIPAA Privacy December 3, 2032 envelope rather than by postcard to be a reasonableirequest that should be accommodated. Similarly, a request to receive mail ?om the covereid entity at a post of?ce box rather than at home, or to receive calls at the of?ce rather than iat home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR May physicians of?ces use patient sign-in sheetsi or call out the names of their patients in their waiting rooms? i Yes. Covered entities, such as physician?s offices, inay use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimiim necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in medical problem for which the patient is seeing the physician). See 45 CPR Are physicians and doctor?s of?ces prohibited friom maintaining patient medical charts at bedside or outside of exam rooms, or fitom engaging in other customary practices where the potential exists for patient information to he incidentally disclosed to others? No. The HIPAA Privacy Rule does not prohibit covered entities from engaging in common and important health care practices; nor does it specify the speci?c measures that must be applied to protect an individual?s privaicy while engaging in these practices. Covered entities must implement reasonable safeguards to protect an individual?s privacy. In addition, covered entities must reasonably restrict how much information is used and disclosed, where appropriate, as well as who withini the entity has access to protected health information. Covered entities must evaluate hvhat measures make sense in their environment and tailor their practices and safeguards to their particular circumstances. For example, the Privacy Rule does not prohibit covered entities from engaging in the following practices, where reasonable precautions have been taken to protect an individual?s privacy: - Maintaining patient charts at bedside or outside of exam rooms, displaying patient names on the outside of patient charts, or displaying patient care signs ?high fall risk? or ?diabetic diet?) at patient bedsidh or at the doors of hospital rooms. OCR HIPAA Privacy December 3, 2002 the wall rather than having protected health information about the patient visible to anyone who walks by. Bach covered entity must evaluate what measures are reasonable and appropriate in its environment. Covered entities may tailor measures to their particular circumstances. See 45 CFR A hospital customarily displays patients? names heat to the door of the hospital rooms that they occupy. Will the HIPAA Privacy Rule allow the hospital to continue this practice? The Privacy Rule explicitly permits certain incidental disclosures that occur as a by- product cf an otherwise permitted disclosure?for example, the disclosure to other patients in a waiting room of the identity of the person whose name is called. In this case, disclosure of patient names by posting on the avail is permitted by the Privacy Rule, if the use or disclosure is for treatment (for example, to ensure that patient care is provided to the correct individual) or health care operations purposes (for example, as a service for patients and their families). The disclosinre of such information to other persons (such as other visitors) that will likely also ioccur due to the posting is an incidental disclosure. 5 Incidental disclosures are permitted only to the extent that the covered entity has applied reasonable and appropriate safeguards and implemented the minimum necessary standard, where appropriate. See 45 CFR In this case, it would appear that the disclosure of names is the minimum necessary for the purposes of the permitted uses or disclosures described above, and there do not appear to be additional safeguards that would be reasonable to take in these circumstances} However, each covered entity must evaluate what meaSures are reasonable and appropriate in its environment. Covered entities may tailor measures to their particular circumstances. May mental health practitioners or other specialists provide therapy to patients in a group setting where other patients and family members are present? Yes. Disclosures of protected health information a group therapy setting are treatment disclosures and, thus, may be made without an indilvidual?s authorization. Furthermore, the HIPAA Privacy Rule generally permits a covered entity to disclose protected health information to a family member or other person involved in the individual?s care. Where the individual is present during the disclosure, the covered entity may disclose protected health information if it is reasonable to infer from the circumstances that the individual does not object to the disclosure. Absent countervailing circumstances, the individual?s agreement to participate in group therapy or family; discussions is a good basis for inferring the individual?s agreement. 5