0? ?liltin- ad-

Home?!
DEPARTMENT OF HEALTH 3: HUMAN SERVICES OFFICE OF  SECRETARY
Voice- - (214') tor-41356. [soot ace-1019 TDD -(214] rot-5940 I Office for Civil Rights, Region 
4a (FAX) - {214) rev-0432 hrrg' mehhag?vf?f 1301 Young Street, Suite 1169
Dallas, 



{blt?libltiltcl

 

 

 

 

Privacy Director
CVS Caremark

9501 E. Shea

Scottsdale, AZ 35260

Transaction Number: 12-135684

Dem-Iterator?) Tami {bit?itblmi?i

On November 14 2011, the Of?ce for Civil Rights (OCR) received a complaint from
lalleging a violation or the Federal Standards for Privacy of lndividua 
Identi?able Health Information andfor the Security Standards for the Protection of
Electronic Protected Health Information (45 CPR. Parts 160 and 164 Sub rats A, C, and
E, the Privacy,Ir and Security Rules}. Speci?cally, alleges CVS

 

 

Carcrnark impermissiny disclosed the protected health information of 
an individual with whom libi'i?lxibl'micl I has no 
relationship, when Caremark sent a pharmacy re?n request tow on 1 
at 9:28 am. This allegation could re?ect violations of 45 CPR. 164.502(a} and


 

OCR enforces the Privacy and Security Rules and also enforces federal civil rights laws
which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability and age.

OCR noti?ed CVS Caremark of the complaint on December 12, 2011 and
reviewer] subsequent response. CVS conducted an internal investigation into the
complaint and acknowledged that prescription infonnation was inadvertently sent to
{bitelxtbim-ZGII rather than to the intended physician. CV3 provided documentation to
OCR that as a result of this incident, CV5 recained The employees of the involved
pharmacy on privacy policy and the procedures for safeguarding protected health
information.

12-135684 2

CVS further responded that it has implemented additional safeguards. In a letter to OCR
dated February 6, 2012, CVS responded:

?in December 2011 CVS Caremark implemented further technical safeguards to
reduce the likelihood of this type of error recurring. Speci?cally, prescribers can no
longer be searched using only their ?rst and last names. Employees must enter a
unique identi?er for the prescriber, such as a DEA number, SP1 or NPI, along with
last name. This enhanced security measure will ensure that the prescriher pro?le
pulled up in the system matches the prescribe-r listed on the prescription.?

CVS also provided OCR with copies of the policies ?Safeguarding PHI and and
?Internal Sanctions Policy 8r. Procedure? and documentation that the disclosure had been
accounted for in the patient ?le.

All matters raised by this complaint at the time it was ?led have now been resolved through
the voluntary compliance actions of CVS. Therefore, OCR is closing this case. 
determination as stated in this letter applies only to the allegations in this complaint that
were reviewed by OCR.

Under the Freedom of Information Act, it may be necessary for OCR to release this
document and related correspondence and records upon request. In the event that OCR
receives such a request, we will seek to protect, to the extent provided by law, personal
information which, if released, would constitute an unwarranted invasion of privacy.

If you have any questions, contact Jamie Sorley, Investigator, at {214) 767?8908 (Voice),
(214) 767?8940 (TDD).