dunno

 

 

 

 

 

.2
mm 6 DEPARTMENT OF HEALTH dc HUMAN SERVICES OFFICE OF THE SECRETARY
Yum {stator?4115s. rain son?m r214; rat?am Office for Civil Rights, Region Vi
is r114; raises: hop 5 {1.1.1113 uh.- 13in mung Street, Suite nos
r5202

8 2012
{site} {bitiltcl . 
CVS Caremark
CVSiPhai-macy Privacy Of?cer

9501 E. Shea Blvd.
Scottsdale, AZ 85260

Our Reference Nunber: 12?1333] I


 

 

{blt?libliiltcl

 

 

and

 

Dear

 

 

 

The Department of Health and Human Services (HHS), Of?ce for Civil Rights (OCR) recein a
complaint on September 29, 2011, alleging that CVS Caremark?s phannacy located at 1161 1 Preston

Road in Dallas, Texas (CV8) is not in compliance with the Federal Standards for Privacy of Individually
Identi?able Health Information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule).

The complainant, alleges that on September 26, 2011, . the pharmacist
on duty, became agitated when the complainant questioned the cost of a prescription and yelled in a loud
voice causing nearby customers to hear the name of the complainant?s medication and the amount of
money spent on prescriptions by the complainant?s husband. These aiiegations could re?ect a violation of
45 can. 164.502, momma), 

OCR enforces Federal civil rights laws that prohibit discrimination in the delivery of health and human
services because of race. color, national origin, disability, age, and, under certain circumstances, sex and
religion. OCR is also responsible for enforcing the Privacy and Security Rules as they apply to ?covered
entities.? Covered entities include health care clearinghouses, health plans, and health care providers that
transmit health information in electronic form in connection with a transaction for which HHS has
adopted standards. See 45 C.F.R. Part 162.

OCR renewed the issues raised in the complaint and noti?ed CVS of the complaint?s allegations and its
possible violation of the Privacy Rule. A health care provider may disclose protected health information
only as permitted or required by the Privacy Rule. 45 C.F.R. The Privacy Rule permits a
health care provider to disclose protected health information without the agreement or written
authorization of the individual for treatment purposes. 45 C.F.R. 

Additionally, a health care provider is permitted to use or disclose protected health information
incidental to a use or disclosure otherwise permitted or required by the Privacy Rule provided the health
care provider has made reasonable efforts to limit protected health information to the minimum
necessary to accomplish the intended purpose of the use or disclosure and the covered entity has in place

 

appropriate administrative, technical, and physical safeguards to protect the privacy of protected health
information. See 45 C.F.R 16450203), and 

As such, a health care provider must reasonably safeguard protected health information to limit incidental
uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. 45 CPR 
Thus, protected health information disclosed as an incident to treatment is a violation
of the Privacy Rule if a health care provider fails to follow appropriate safeguards to limit such
disclosures.

CVS provided OCR with its policies and procedures regarding safeguarding protected health
information that appear to comply with the Privacy Rule. safeguards policy instructs pharmacy
associates to: speak quietly to patients; create a ?privacy area? such as a small separate room or screened
off area to counsel patients regarding treatment; and ensure that waiting customersfpatients maintain a
reasonable distance from the counter when pharmacy employees are consulting with a patient at the
counter.

To address the issues raised in the compiaint, CVS retrained pharmacy members at Store #7288
regarding safeguards policies and procedures. In particular, training reiterated that the
pharmacy staff is to make every effort to ensure conversations regarding a patient?s protected health
information are not overheard. Pharmacy members also acknowledged in writing that they would
adhere to policies and procedures that safeguard a patient?s protected health information.

Because CVS Careka has addressed the issues raised in the complaint, OCR is closing this matter.
determination as stated in this letter applies only to the allegations in the complaint that were
reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other information
about this case upon request by the'public. In the event OCR receives such a request, we will make every
effort, as permitted by law, to protect information that identi?es individuals or that, if released, could
constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Betty Robinson, Investigator, at (214)
767-4073.

Sincerely,

Ralph D. Rouse
Regional Manager, Region VI