gyms. DEPARTMENT OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY

 



 

 

 

 

Voice 4214] tenses, {sue} sea-101a Too 4214} tar-asst Of?ce for Civil Rights, Region VI
{Fall-{21411510432 130! Young Street, Suite 1169
Watthan Dallas, TX 75202

APR 1 6 2013
Privacy omeer
CV3 Carcmark
One CV Drive

Woonsocket, RI 02895
Transaction Number: [3457977

Re: CVS Pharmacy, 2823 Spears Rd., Houston, TX

 

b? . .
Dear Edi?libliil 
On March 28, 2013, the US. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR) Region VI, received a complaint alleging that CVS Pharmacy Houston, the
covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health
information (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, the
complaint alleges on January 13, 2013, a workforce member named Jaimee of CVS Pharmacy
Houston loudly discussed Fmimimmig] Iprotected health information (PHI) in {tent of
everyone in the waiting area. This allegation could re?ect a violation of 4S C.F.R. 164.502(a)
and 

 

 

 

 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and inunan services
because of race, color, national origin, disability, age, and under certain sex and
religion.

The Privacy Rule permits certain incidental uses and disclosures of protected health information
(PHI) that occurs as a by-product of another permissible or required use or disclosure of PHI, as
long as the covered entity has applied reasonable safeguards and implemented the minimum
necessary standard, where applicable, with respect to the primary use or disclosure. See 45
CPR. For example, the Privacy Rule permits covered health care providers
to share PHI for treatment purposes udthout patient authorization as long as they use reasonable
safeguards when doing so- These safeguards may vary depending on the mode of
communication used. For example, when discussing patient health information orally with
another provider in proximity of others, a doctor may be able to reasonably safeguard the
information by lowering hisfher voice.

In this matter, the complainant alleges the incidental use or disclosure of PHI was not
permissible, because either reasonable safeguards were not in place to prevent the use or
disclosure andfor because the minimum necessary standard was not implemented when it should
have been. Pursuant to its authority under 45 C.F.R. 160.304(a) and OCRhas determined

to resolve this matter informally through the provision of technical assistance to CVS Pharmacy
Houston. To that end, OCR has enclosed material explaining the Privacy Rule provisions related
to Incidental Uses and Disclosures, Reasonable Safeguards, and the Minimum Necessary
requirement.

You are encouraged to review these materials closely and to share them with your staff as part of
the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your
workforce. You are also encouraged to assess and determine whether there may have been an
incident of noncompliance as alleged by the complainant in this matter, and, if so, to take the
steps necessary to ensure -such noncompliance does not occur in the future. Please contact OCR
if you need ?irther information regarding the allegations in this matter. Should OCR receive a
similar allegation of noncompliance against CVS Pharmacy Houston in the future, OCR may
initiate a formal investigation of that matter.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law to protect information that identi?es
individuals or that, if released could constitute a clearly unwarranted invasion of personal
privacy.

If you have any questions regarding this matter, please contact Yvonne Butler, Investigator, at
214-767-4055 (Voice), 214-767-8940 (TDD).

Sincerelf
W.
orge A. Lo

0
Regional ger

Enclosures: Incidental Disclosures
Reasonable Safeguards
Minimum Necessary

 

 

.. DEPARTMENT OF HEALTH SERVICES OFFICE OF THE SECRETARY
i Voice- (214) res-4056, (an) 368-1019 roo- {214} rears-to cash: for Civil Rights, Region V1
Fan - (214) rat-0432 mammogram not Young Street, Suite no
em Dales, rxrsan
APR 1 6 2013
(bane:

 

 

 

Transaction Number: 13-15797?!

Dear 

On March 28, 2013, the US. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR) Region VI, received your complaint alleging that CVS Pharmacy Houston, the
covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health
Infomation (45 C.F.R. Parts 160 and 164, Subparts A and the Privacy Rule). Speci?cally,
you allege on January 18, 2013, a workforce member named of CVS Pharmacy Houston
loudly discussed your protected health information (PHI) in front of everyone in the waiting
area. This allegation could re?ect a violation of 45 CPR. 164.502(a} and 

Thank you for bringing this matter to attention. Your complaint plays an integral part in
enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin,I disability, age, and under certain circumstancm, sex and
religion.

The Privacy Rule permits certain incidental uses and disclosures of protected health information
(PHI) that occur as a by-product of another permissible or required use or disclosure of as
long as the covered entity has applied reasonable safeguards and implemented the minimum
necessary standard, where applicable, with respect to the primary use or disclosure. See 45
C.F.R. For example, the Privacy Rule permits covered health care providers
to share PHI for treannent purposes without patient authorization as long as they use reasonable
safeguards when doing so. These safeguards may vary depending on the mode of
communication used. For example, when discussing patient health information orally with
another provider in proximity of others, a doctor may be able to reasonably safeguard the
information by lowering hisr?her voice.

We have carefully reviewed your complaint against CVS Pharmacy Houston and have
determined to resolve this matter informally through the provision of technical assistance to CVS
Pharmacy Houston. Should OCR receive a similar allegation of noncompliance against CVS
Pharmacy Houston in the future, OCR may initiate a formal investigation of that matter.

Based on the foregoing, OCR is closing this case without further action, e??ective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Yvonne Butler, Investigator, at
214-767-4055 (Voice), 214-767-8940 (TDD).