i
i

DEPARTMENT OF HEALTH 3; HUMAN SARVICES OFFICE OF THE SECRETARY

Voice - {312) 636-2359. (300} 363-1019 Office for Civil Rights, Region 
TDD - {312} 353-5693, (sop) ear-res? 233 N. Michigan Suite 240

(FAX) - {312i ass-130? Chicago, IL 60601


 


i


i
i

i

September 25, 2013

 

 



 

 

Re: OCR Transaction Number: 13-16-4355

 

Dear 

 

 

 

 


On August 8, 2013, the U.S. Departmen of Health and Human Services
(HHS), Office for Civil Rights (OCR), Re ion V, received your complaint
alleging that CVS Pharmacy, the covere entity, has violated the Federal
Standards for Privacy of Individually Id tifiable Health Information (45
C.F.R. Parts 160 and 164, Subparts A a E, the Privacy Rule . Secifically,
you allege that, on May 6, 2013, a Pha acy Tech named at the
CVS located at 3171 West Blvd. in Clev land, Ohio dis - - . a protected
health information (PHI) to your neighb, r, who is alsoniece
without her authorization to do so. This llegation could reflect a violation of
45 C.F.R. 164.510 nd 164.530(c) of the Privacy Rule.

Thank you for bringing this matter to R's attention. Your complaint plays
an integral part in enforcement orts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also
enforces the Federal civil rights laws wh ch prohibit discrimination in the
delivery of health and human services cause of race, color, national origin,
disability, age, and under certain circu .stances, sex and religion.

A covered entity may not use or disclose protected health information except
as permitted or required by the Privacy Rule. As long as an individual does
not object, a covered entity is allowed to share or discuss with the
individual?s family, friends, or other persons identi?ed by the individual the
protected health information that is directly relevant to such person's
involvement with the individual?s care or payment for care. The covered
entity may ask the individual?s permission, may tell the individual that the
covered entity plans to discuss the information and give the individual an
opportunity to object, or may decide, using the covered entity?s professional

 

 

 

 

Page 2

 
 
 

judgment, that the individual does not 0 ject. However, in any of these
cases, the covered entity may discuss I the information that the person
involved needs to know about the indivi ual?s care or payment for their care.

The minimum necessary provision of th Privacy Rule also requires the
covered entity to limit access to protect health information by identifying
the persons or classes of persons withinthe covered entity who need access
to the information to carry out their job uties, the categories or types of
protected health information needed, an conditions appropriate to such

access .


Additionally, pursuant to its authority er 45 C.F.R. 160.304(a) and
OCR has determined to resolve this?'latter informally through the
provision of technical assistance to CVS. To that end, OCR has enclosed
material explaining the Privacy Rule pro isions related to Disclosures to
Family and Friends, the Minimum Neces ary Requirement, and Reasonable
Safeguards. i

Finally, a covered entity must provide a recess for individuals to make
complaints concerning the covered entit, 's policies and procedures required
by the Privacy Rule or its compliance wi such policies and procedures or
with the requirements of the Privacy Rul . 45 C.F.R. 164.530 
We have carefully reviewed your compla nt against CVS and have
determined to resolve this matter infor ally through the provision of
technical assistance to CVS. Should OC receive a similar allegation of
noncompliance against CVS in the futur OCR may initiate a formal
investigation of that matter. I

effective the date of this letter. termination as stated in this letter
applies only to the allegations in this co plaint that were reviewed by OCR.
Under the Freedom of Information Act,
letter and other information about this
the event OCR receives such a request, will make every effort, as
permitted by law, to protect information that identifies individuals or that, if
released, could constitute a clearly unw rranted invasion of personal
privacy. 

may be required to release this

Based on the foregoing, OCR is closing l: is case without further action,
se upon request by the public. In

 

 

Page 3

If you have any questions regarding this matter, please contact Felicia Clay,
Investigator, at (312) 886-5078 (Voice): (312) 353 -5693 (TDD).


Sincerely,


Ma?a?

Cele H. Davis
Regi lnal Manager


 

 

 

 



mint-1H.



OFFICE OF SECRETARY
Of?ce for Civil Rights, Region 
233 N. Michigan Suite 240
Chicago, IL 60601

?W's DEPARTMENT OF HEALTH 3; HUMAN SARVICES
Voice - (312} 336-2359, (coo) 1363-1019 

TDD - (312) 353-5693. (300) EST-7697 



WW

 

September 25, 2013
{bli?iibl?llCl

CVS Pharmacy
One CVS Drive
Woonsocket, RI 02895

Privacy Of?cer

Re: OCR Transaction Number: 13-164 55

Deal- (bloublin 

On August 8, 2013, the U.S. Departmenl of Health and Human Services
(HHS). Of?ce for Civil Rights (OCR), Re on V, received a complaint from

 

 

 

alleging that CVS Phar acy, the covered entity, has

 

violated the Federal Standards for Priva of Individually Identifiable Health
Information (45 C.F.R. Parts 160 and 1 Subparts A and E, the Privacy
Rule). Speci alleg that, on May 6, 2013, a Pharmacy
Tech named at the CVS located at 3171 West Blvd. in Cleveland,
Ohio disclosed her protected health info ation (PHI) to her neighbor, who
is also niece without her auth rization to do so. This allegation
could reflect a violation of 45 C.F.R. 164.510 and
164.530(c) of the Privacy Rule.

 
 

OCR enforces the Privacy, Security, and reach Noti?cation Rules, and also
enforces the Federal civil rights laws wh-l prohibit discrimination in the
delivery of health and human services cause of race, color, national origin,
disability, age, and under certain circum tances, sex and religion.

Pursuant to the Privacy Rule, a covered ntity may not use or disclose PHI
except as permitted or required by the ivacy Rule. As long as an
individual does not object, a covered en ty is allowed to share or discuss the
individual?s health information with the i dividual?s family, friends, or others
involved in the individual's care or paym nt for their care. The covered
entity may ask the individual?s permissi may tell the individual that the
covered entity plans to discuss the infor ation and give the individual an
opportunity to object, or may decide, us ng the covered entity's professional
judgment, that the individual does not 0 ject. However, in any of these

 

 

1 
i
Page 2 I

cases, the covered entity may discuss the information that the person
vi ua

involved needs to know about the indi l?s care or payment for their care.
il
The minimum necessary provision of th Privacy Rule also requires the
covered entity to limit access to protect health information by identifying
the persons or classes of persons within he covered entity who need access
to the information to carry out their job uties, the categories or types of
protected health information needed, an conditions appropriate to such
access. 


In this matter, the complainant alleges at the complainant?s PHI was
impermissiny disclosed to a member of he complainant's family or to an
acquaintance of the complainant or that he complainant's PHI was
otherwise impermissibly used by an em of CVS. Pursuant to its
authority under 45 C.F.R. 160.304(a) and OCR has determined to
resolve this matter informally through th provision of technical assistance
to CVS. To that end, OCR has enclosed aterial explaining the Privacy Rule
provisions related to Disclosures to Fami and Friends, the Minimum
Necessary Requirement, and Reasonable Safeguards.

Finally, a covered entity must provide a recess for individuals to make
complaints concerning the covered entit policies and procedures required
by the Privacy Rule or its compliance wit such policies and procedures or
with the requirements of the Privacy Rule. 45 C.F.R. 164.530 

It is our expectation that you will review hese materials closely and share
them with your staff as part of the Healt. Insurance Portability and
Accountability Act (HIPAA) training you ovide to your workforce. It is also
our expectation that you will assess and etermine whether there may have
been an incident of noncompliance as all ged by the complainant in this
matter, and, if so, to take the steps nece sary to ensure such noncompliance
does not occur in the future. Please con ct OCR if you need further
information regarding the allegations in is matter. Should OCR receive a
similar allegation of noncompliance again CVS in the future, OCR may
initiate a formal investigation of that me er.

effective the date of this letter. de ermination as stated in this letter


Based on the forgoing, OCR is closing thi case without further action, 
applies only to the allegations in this laint that were reviewed by OCR.


I
i

 

'l


Under the Freedom of Information Act, may be required to release this

Page 3

letter and other information about this se upon request by the public. In
the event OCR receives such a request, will make every effort, as
permitted by law, to protect informatior?that identi?es individuals or that, if
released, could constitute a clearly unw rranted invasion of personal
privacy. i

If you have any questions regarding thi matter, please contact Felicia Clay,
Investigator, at (312) 866-5078 (Voice) or (312) 353-5693 (TDD).

i
Sinc+rely,

 

Cele te H. Davis
Regi nal Manager

Enclosures: Disclosures to Family and Friends
The Minimum Necessary Recluirement
Reasonable Safeguards 

 

 

 

DISCLOSURES TO FRIENDS AND FAMILY
45 C.F.R. 3164.510(b)


The Privacy Rule does not require a hea care provider or health plan to

 

 
 
 

share information with a patient's famil or friends, unless they are the
patient?s personal representatives. The: aw does permit providers and plans
to share information with a patient?s fa ily or friends in certain
circumstance. A health care provider or health plan may share relevant
information with family members or frie ds involved in the patients health
care or payment for the patients health care, if the patient tells the provider
or plan that it can do so, or if the patien does not object to sharing of the
information. For example, if the patient does not object, the patient?s doctor
could talk with the friend who goes with-the patient to the hospital or a
family member who pays the patient?s edical bill.

A provider or plan may also share relev Int information with these persons if,
using its professional judgment, it belie that the patient does not object.
For example, if a patient sends a friend 0 pick up your prescription for the
patient, the pharmacist can assume the the patient does not object to their
being given the medication. When the atient is not there or is injured and
cannot give their permission, a provider may Share information with these
persons when it decides that doing so uld be in the patient's best

interest.

Q: Does the HIPAA Privacy Rule rmit a doctor to discuss a
patient's health status, treatm nt, or payment arrangements
with the patient's family and ends?

A: Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) Speci?cally permits
covered entities to share informati that is directly relevant to the
involvement of a spouse, family mbers, friends, or other persons
identi?ed by a patient, in the pati t?s care or payment for health care.
If the patient is present, or is othe ise available prior to the
disclosure, and has the capacity make health care decisions, the
covered entity may discuss this in rmation with the family and these
other persons if the patient agree or, when given the opportunity,
does not object. The covered enti may also share relevant
information with the family and th se other persons if it can
reasonably infer, based on their fessional judgment, that the
patient does not object. Under th circumstances, for example:

  
    

 

Page 5

 




ii
i

A doctor may give information ab ut a patient?s mobility limitations to
a friend driving the patient home rom the hospital.

A hospital may discuss a patients;
daughter.

 

payment options with her adult

A doctor may instruct a patient?s


ommate about proper medicine
dosage when she comes to pick 


her friend from the hospital.

A physician may discuss a patient" treatment with the patient: in the
presence of a friend when the pati nt brings the friend to a medical
appointment and asks if the friend can come into the treatment room.

Even when the patient is not pres nt or it is impracticable because of
emergency circumstances or the tient?s incapacity for the covered
entity to ask the patient about dis ussing her care or payment with a
family member or other person, a overed entity may share this
information with the person when, in exercising professional judgment,
it determines that doing so would in the best
See 45 CFR Thus, for xample:

interest of the patient.

A surgeon may, if consistent with uch professional judgment, inform a
patient?s spouse, who accompanie her husband to the emergency
room, that the patient has suffere a heart attack and provide periodic
updates on the patient's progress nd prognosis.

A doctor may, if consistent with su professional judgment, discuss
an incapacitated patient?s conditio with a family member over the
phone. 

In addition, the Privacy Rule expr sly permits a covered entity to use
professional judgment and experiel ce with common practice to make
reasonable inferences about the ient?s best interests in allowing
another person to act on behalf of he patient to pick up a filled
prescription, medical supplies, X-r ys, or other similar forms of
protected health information. For a ample, when a person comes to a
pharmacy requesting to pick up a rescription on behalf of an
individual he identi?es by name, a harmacist, based on professional
judgment and experience with co on practice, may allow the person
to do so. 

  
 

If the patient is not present or incapacitated, may a health
care provider still share the pa ent's health information with
family, friends, or others invol in the patient?s care or
payment for care?

 

HIPAA Privacy Rule Disclosures

Yes. If the patient is not present is incapacitated, a health care
provider may share the patient?s i formation with family, friends, or
others as long as the health care rovider determines, based on
professional judgment, that it is i the best interest of the patient.
When someone other than a frien or family member is involved, the
health care provider must be reas nably sUre that the patient asked
the person to be involved in his 0 her care or payment for care. The
health care provider may discuss my the information that the person
involved needs to know about theipatient's care or payment. Here are
some examples:

A surgeon who did emergency su
patient's spouse about the patien
unconscious.

ery on a patient may tell the
5 condition while the patient is



A pharmacist may give a prescrip ion to a patient?s friend who the
patient has sent to pick up the pr scription.



bill with her adult son who calls the
es to his mother?s account.

A hospital may discuss a patient'
hospital with questions about cha



A health care provider may give ilformation regarding a patient?s drug
dosage to the patients health aid who calls the provider with
questions about the particular pre cription.

BUT: I

min??Fl

A nurse may not tell a patient's nd about a past medical problem
that is unrelated to the patient's rrent condition.

A health care provider is n_ot requi ed by HIPAA to share a patient's
information when the patient is present or is incapacitated, and
can choose to wait until the patie I has an opportunity to agree to the
disclosure.

a Patient?s Family, Friends, or
Others Involved in the Patien 5 Care or Payment for Care

 

 

 

 

 

Family Me her or Other Persons
Frie (1
Provider mayadisclose Provider may disclose
relevant information if relevant information if
the provider does one of the provider does one of

 

 

 

Page 7

 

Patient is present and
has the capacity to
make health care
decisions

(1)

 

patient 
opport nity to
object nd the
patient oes not
object;r 

(3) cides
from th.
circum ances,
based 
profess nal
judgme t, that
the pati nt does
not obj ct

in person, ov the

Disclosure be made
phone, or in

riting

the following:

(1) Obtain the
patient's
agreement;

(2) Gives the
padentan
opportunity to
object and the
patient does not
object;

(3) Decides
from the
circumstances,
based on
professional
judgment, that
the patient does
not object

Disclosure may be made
in person, over the
phone, or in writing

 

 

Patient is not present
or is incapacitated

 

'i
Provider may disclose
relevant infor- ation if,
based on pro ssional
judgment, th
disclosure is in the
patient's bestiinterest.



Disclosure be made
in person, ov the
phone, or in writing.

I
Provider may; use
professional j' dgment
and experien to
decide if it is the
patient?s bes interest to
allow someo to pick
up ?lled pres riptions,

   
 

 

Provider may disclose
relevant information if
the provider is
reasonably sure that the
patient has involved the
person in the patient's
care and in his or her
professional judgment,
the provider believes
the disclosure to be in
the patient's best
interest.

Disclosure may be made
in person, over the
phone, or in writing.

Provider may use
professional judgment
and experience to
decide if it is in the

 

 

 

 .

Page 8

 

 

 

medical suppl es, X-
rays, or othe similar
forms of heal 
information f. the
patient.

 

patient?s best interest to
allow someone to pick
up ?lled prescriptions,
medical supplies, X-
rays, or other similar
forms of health
information for the
patient.

 

 

 

 

 

Page 9

 

THE MINIMUM NECES: ARY REQUIREMENT
45 C.F.R. 164.502l b) and 164.514(d)

Background
The minimum necessary standard, a kit protection of the HIPAA Privacy

Rule, is derived from con?dentiality cod 3 and practices in common use
today. It is based on sound current pra ice that protected health
information should not be used or discl sed when it is not necessary to
satisfy a particular purpose or carry out a function. The minimum necessary
standard requires covered entities to ev Iuate their practices and enhance
safeguards as needed to limit unnecess ry or inappropriate access to and
disclosure of protected health informati n. The Privacy Rule?s requirements
for minimum necessary are designed to be suf?ciently flexible to
accommodate the various circumstance of any covered entity.

How the Rule Works 

The Privacy Rule generally requires cov red entities to take reasonable steps
to limit the use or disclosure of, and re ests for, protected health
information to the minimum necessary accomplish the intended purpose.
The minimum necessary standard does; at apply to the following:

Disclosures to or requests by a he Ith care provider for treatment
purposes.

. Disclosures to the individual who is the subject of the information.
Uses or disclosures made pursuan to an individual?s authorization.

- Uses or disclosures required for mpliance with the Health Insurance
Portability and Accountability Act HIPAA) Administrative Simpli?cation
Rules.

- Disclosures to the Department of ealth and Human Services (HHS)
when disclosure of information is equired under the Privacy Rule for
enforcement purposes. i 

- Uses or disclosures that are requilfed by other law.


The implementation speci?cations forth 5 provision require a covered entity
to develop and implement policies and rocedures appropriate for its own
organization, re?ecting the entity?s busi. ess practices and workforce. While
guidance cannot anticipate every questi; or factual application of the
minimum necessary standard to each 'eci?c industry context, where it
would be generally helpful we will seek 0 provide additional clari?cation on

 

 

 




Page 10 i
this issue in the future. In addition, the epartment will continue to monitor
the workability of the minimum necessa standard and consider proposing
revisions, where appropriate, to ensure; hat the Rule does not hinder timely

access to quality health care. Ii

Uses and Disclosures of, and Requests for, Protected Health
Information 9

  
  
  

For uses of protected health informatio the covered entity's policies and
procedures must identify the persons 0 classes of persons within the
covered entity who need access to the i formation to carry out their job
duties, the categories or types of prote ed health information needed, and
conditions appropriate to such access. example, hospitals may
implement policies that permit doctors, urses, or others involved in
treatment to have access to the entire edical record, as needed. Case-by-
case review of each use is not required. Where the entire medical record is
necessary, the covered entity?s policies nd procedures must state so
explicitly and include a justi?cation. For routine or recurring requests and
disclosures, the policies and procedures may be standard protocols and must
limit the protected health information dl closed or requested to that which is
the minimum necessary for that particu: ar type of disclosure or request.
Individual review of each disclosure or . quest is not required. For non-
routine disclosures and requests, cover entities must deveiop reasonable
criteria for determining and limiting the-disclosure or request to only the
minimum amount of protected health in ormation necessary to accomplish
the purpose of a non~routine disclosure request. Non-routine disclosures
and requests must be reviewed on an i dividual basis in accordance with
these criteria and limited accordingly. 0 course, where protected health
information is disclosed to, or requeste by, health care providers for
treatment purposes, the minimum nec sary standard does not apply.

Reasonable Reliance I

In certain circumstances, the Privacy Ie permits a covered entity to rely
on the judgment of the party requestin the disclosure as to the minimum
amount of information that is needed. uch reliance must be reasonable
under the particular circumstances of request. This reliance is permitted
when the request is made by: i

. A public official or agency who sta es that the information requested is
the minimum necessary for a pur ose permitted under 45 CFR
164.512 of the Rule, such as for blic health purposes (45 CFR


. Another covered entity.

 

Page 11

 

purpose.

:i
A researcher with appropriate doc mentation from an Institutional
Review Board (IRB) or Privacy Bo rd.

The Rule does not require such reliance however, and the covered entity
always retains discretion to make its 0 minimum necessary determination
for disclosures to which the standard ap lies.

 

Q: How are covered entities exp ed to determine what is the
minimum necessary informati that can be used, disclosed, or
requested for a particular pur 5e?

A: The HIPAA Privacy Rule requires a covered entity to make reasonable
efforts to limit use, disclosure of, nd requests for protected health
information to the minimum nece ary to accomplish the intended
purpose. To allow covered entities the flexibility to address their
unique circumstances, the Rule re uires covered entities to make their
own assessment of what protecte health information is reasonably
necessary for a particular purpose given the characteristics of their
business and workforce, and to im lement policies and procedures
accordingly. This is not an absolut standard and covered entities need
not limit information uses or discl ures to those that are absolutely
needed to serve the purpose. Rat r, this is a reasonableness
standard that calls for an approac consistent with the best practices
and guidelines already used by ny providers and plans today to
limit the unnecessary sharing of dical information.

The minimum necessary standard equires covered entities to evaluate
their practices and enhance protec ions as needed to limit unnecessary
or inappropriate access to protect health information. It is intended
to reflect and be consistent with, override, professional judgment
and standards. Therefore, it is ex cted that covered entities will
utilize the input of prudent profess onals involved in health care
activities when developing policies: nd procedures that appropriately
limit access to personal health info mation without sacri?cing the
quality of health care. I
Does the HIPAA Privacy Rule 5 ictly prohibit the use,
disclosure, or request of an ent re medical record? If not, are

'9

 

Page 12 I

case-by-case justi?cations req ired each time the entire
medical record is disclosed?

No. The Privacy Rule does not ibit the use, disclosure, or request
of an entire medical record; and a covered entity may use, disclose, or
request an entire medical record ithout a case-by-case justification, if
the covered entity has documents in its policies and procedures that
the entire medical record is the a cunt reasonably necessary for
certain identified purposes. 1


For uses, the policies and procedu es would identify those persons or
classes of person in the workforce that need to see the entire medical
record and the conditions, if any, hat are appropriate for such access.
Policies and procedures for routin disclosures and requests and the
criteria used for non-routine discl sures and requests would identify
the circumstances under which di closing or requesting the entire
medical record is reasonably nec sary for particular purposes. The
Privacy Rule does not require that a justi?cation be provided with
respect to each distinct medical ord.

 
 

Finally, no justi?cation is needed i those instances where the
minimum necessary standard doe not apply, such as disclosures to or
requests by a health care provide for treatment purposes or
disclosures to the individual who is the subject of the protected health
information. 

In limiting access, are covere entities required to completely
restructure existing workflow ystems, including redesigning
office space and upgrading co puter systems, in order to
comply with the HIPAA Privac Rule's minimum necessary
requirements?

No. The basic standard for minim I necessary uses requires that
covered entities make reasonable fforts to limit access to protected
health information to those in the. orkforce that need access based on
their roles in the covered entity. .I

The Department generally does consider facility redesigns as
necessary to meet the reasonable ess standard for minimum
necessary uses. However, covere entities may need to make certain
adjustments to their facilities to inimize access, such as isolating and
locking ?le cabinets or records ro ms, or providing additional security,
such as passwords, on computersmaintaining personal information.


Covered entities should also take Into account their ability to configure

 

 

Page 13 i,

their record systems to allow acc to only certain ?elds, and the
practicality of organizing systems 0 allow this capacity. For example,
it may not be reasonable for a sm ll, solo practitioner who has largely
a paper-based records system to imit access of employees with
certain functions to only limited Ids in a patient record, while other
employees have access to the co plete record. In this case,
appropriate training of employees may be suf?cient. Alternatively, a
hospital with an electronic patient record system may reasonably
implement such controls, and therefore, may choose to limit access in
this manner to comply with the Privacy Rule.

 

 

Page 14

 

Reasonable 'afeguards
45 C.F.R. 1; 4.530 

A covered entity must have in place ap ropriate administrative, technical,
and physical safeguards that protect ag' inst uses and disclosures not
permitted by the Privacy Rule, as well a that limit incidental uses or
disclosures. See 45 C. F.R. ?164.530 It is not expected that a covered
entity?s safeguards guarantee the priva of protected health information
from any and all potential risks. Reason ble safeguards will vary from
covered entity to covered entity dependl ng on factors, such as the size of
the covered entity and the nature of its usiness. In implementing
reasonable safeguards, covered entities should analyze their own needs and
circumstances, such as the nature of th protected health information it
holds, and assess the potential risks to atients' privacy. Covered entities
should also take into account the poten al effects on patient care and may
consider other issues, such as the ?nan ial and administrative burden of
implementing particular safeguards.

I
Many health care providers and professi nals have long made it a practice to
ensure reasonable safeguards for indivi uals? health information for
instance: i

. By speaking quietly when discussi a patient?s condition with family
members in a waiting room or oth public area;

. By avoiding using patients? names. in public hallways and elevators,
and posting signs to remind empl ees to protect patient
con?dentiality;

. By isolating or locking ?le cabinets} or records rooms; or

. By providing additional security, as passwords, on computers
maintaining personal information. I

Protection of patient con?dentiality is EDI important practice for many health
care and health information manageme professionals; covered entities can
build upon those codes of conduct to de elop the reasonable safeguards

required by the Privacy Rule.