tilting. ,or? a. at- DEPARTML-NT 0E HUMAN SERVICES OFFICE OF THE SECRETARY Voice - [214) {3130) 353-1019 TDD - [214} 53?-?597 Of?ce for Civil Rights, Region VI 5. e, - (214) tar-D432 an. 1301 You ng Street, Suite I Inc Pm Dallas. TX 7521!: my 2.52813 {bJUliCl P?vacy O?iw CVS Chromatic 9501 E. Shea Blvd. Scottsdale, AZ 85260 OurTransaetion l2-l4382l {bli?jibjm (molten?) Dear ifCl land {'31 On May 25, 2012, the U.S. Department of Health and Human Services (HHS), O?ice for Civil Rights received a complaint alleging a violation of the Federal Standards for Privacy of Individually Identi?able Health Information andior the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy Rule and Security Rules}. Speci?cally, the complainant, libi'?iibimici Ialle ed that on Ma 19 2012, the phannacist, at CVS Store 8309 in Baton Rouge, Louisiana, {Wibimici disclosed the protected health information (PHI) or absence: when liaisons Igave the complainant . ?on instead of the prescription intended for the complainant?s nife, Under the Privacy Rule, a covered entity may not use or disclose the of an individual, unless the use or disclosure is permitted or required by the Privacy Rule. See 45 C.F.R. $64502. Rather, a covered entity:r must have in place appropriate safeguards to protect the of an individual. See 45 C.F.R OCR enforces the Privacy Rule, Security Rule and also enforces Federal civil rights laws which prohibit discrimination in the delivery of health and human services because of race, color, national origin, disability, age, and under certain circumstances, sex and religion. We have reviewed the matters raised in the complaint. On September 12, 2012, OCR noti?ed CVS of the complaint. informed one that the allegation had previously been addressed by when called its Customer Relations Department to ?le a complaint regarding the disclosure of patient information. The incident was also reported by the store through their internal reporting procedure for privacy incidents. According to CVS, the patient was asked to return the prescription received in error. re?lsedtoreturnthe itas evidence. Subsequently, sent the prescription to the Board of The employee that made the error was retrained on the veri?cation process at pick . up. In addition the employee received verbal coaching and comiseling. CV3 infonned OCRthattheentire and Security CV5 provided copies of training veri?cation for each employee. CVS assured 00Rthat?16pharmacyteams atevcry store locations have heentrainedon the I-HPAA Privacy Rules regarding patient privacy. OnMafyr informedOCR ofitsnewyocese?ecauseofthis incident, CVS prescription at pick up. AccordingtoCNS, theprogratn not only enhanced its veri?cation 'I'hisproeesswill nu to ovs the pharmacist apologized tofor the incidentandinformed herthatthe CVS provided copies of its policies and procedures on Uses and Disclosures of protected health information and Safeguarding and their Notice of Privacy Practices. with ?iePrivaeyand As a result ofthis incident, CV8 implemented corrective action measm'es to prevent a reoccurrence of this incident. through the vohmtary compliance action of CVS Caremm'k. Therefore, OCR is closing this matter. determination as stated in this letter applies only to the allegations in this complaintthatwasreviewedbyOCR. Underthe Inthe eventOCRreceives identi?es individuals or that, if released, could constitute a clearly unwarranted invasion ofpersonaiprivaey. If you have any questions regarding this matter, please eentact Adriane Springs, Equal Opportunity Specialist, at (214) 7674690 (Voice), or (214)767-8940 (TDD). Thank you for bringing this matter to our attention.