g?mt ?is at ?um! DEPARTMENT OF HEALTH 5: HUMAN SERVICES OFFICE OF THE SECRETARY ?t'rnce- (are Tot?cues. (em) Mama mo {2.14} tor?saw: 01th:: for Civil Rights, Region VI no; - (214; tor?ms: 1 - 1301 Young Street, Suite nos Dallas, TX r5202 1111. 11" {bii?iibiti?ltci {hil?lihiiliici CVS Caremark Privacy Of?cer APR 7. 3 2912 9501 E- Shea Blvd. Scottsdale, AZ 85260 Our Reference Number: 1 1-130913 Dear and The Department of Health and Human Services (HI-IS), Of?ce for Civil Rights (OCR) received a complaint on July 29, 2011, alleging that CV3 Carcmarl-t?s pharmacy located at 4922 South Broadway Avenue in Tyler, Texas (CV8) is not in compliance with the Federal Standards For Privacy of Individually Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). The complainant, lalleges that she was picking up a prescription {in her husband on May 23, 201 1, when libl?lxiblillicl Ithe pharmacist on duty, discussed information regarding her husband?s prescription in front of the complainant?s relatives and other bystanders instcad of in a private consultation area. Further, according to the complainant, the pharmacist discussed her husband?s health information in ?oat of the aforementioned third-parties despite the complainant stating that she did not want a consultation. These allegations could re?ect a violation of 45 CPR. 164.502, OCR enforces Federal civil rights laws that prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and, under certain circumstances, sex and religion. OCR is also responsible for enforcing the Privacy and Security Rules as they apply to ?covered entities.? Covered entities include health care clearinghouses, health plans, and health care providers that transmit health information in electronic form in connection with a transaction for which HHS has adopted slandards. See 45 C.F.R. Part 11.52. GER reviewed the issues raised in the complaint and noti?ed CVS of the complaint?s allegations and its possible violation of the Privacy Rule. CVS responded and stated that the pharmacist involved in the incident was instead of A heaith care provider may disclose protected health information only as permitted or required by the Privacy Rule. 45 CPR. The Privacy Rule permits a health care provider to disclose protected health information without the agreement or written authorization of the individual for treatment purposes. 45 CPR Additionally, a health care provider is permitted to use or disclose protected health information incidental to a use or disclosure otherwise permitted or required by the Privacy Rule provided the health care provider has made reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use or disclosure and the covered entity has in place . appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. See 45 CPR and As such, a health care provider must reasonany safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. 45 CPR Thus, protected health information disclosed as an incident to treatment is a violation of the Privacy Rule if a health care provider fails to follow appropriate safeguards to limit such disclosures. CVS provided OCR with its policies and procedures regarding safeguarding protected health information that appear to comply with the Privacy Rule. safeguards policy instructs pharmacy associates to: speak quietly to patients; create a ?privacy area? such as a small separate room or screened off area to counsel patients regarding treatment; and ensure that waiting customersr'patients maintain a reasonable distance from the counter when pharmacy employees are consulting with a patient at the counter. To address the issues raised in the complaint, CVS trainedr?retrained pharmacy members at Store 6904 regarding safeguards policies and procedures. In particular, training reiterated that the pharmacy staff is to make every effort to ensure conversations regarding a patient?s protected health information are not overheard. Pharmacy members also acknowledged in writing that they would adhere to policies and procedures that safeguard a patient?s protected health information. Because CV Caremark has addressed the issues raised in the complaint, OCR is closing this matter. determination as stated in this letter applies only to the allegations in the complaint that were reviewed by OCR. Under the Freedom of Information Act, we may be required to release this letter and other information about this case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identi?es individuals or that, if released, could constitute a clearly unwarranted invasion of personal privacy. If you have any questions regarding this matter, please contact Betty Robinson, Investigator, at (214) 767-4073.