slm_

 

 

y? s.

:2

ii DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY
r- Voice - [214} rot-4055. {coo} 363-1019 TDD - {214) tor-3940

- (214i rat-0432 Of?ce for Civil Rights, Region VI

can SEP  1301 Young Street, Suite 1169
Dallas, TX. 752112
{bii?tiaimici

 

 

 

Re: OCR Transaction Number: 13-166142

Dear {bli?liblii?ltcl

On August 28, 2013, the U.S. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), Region VI received your complaint alleging that CVS Pharmacy, the covered
entity, has violated the Federal Standards for Privacy of Individually Identi?able Health
Information andfor the Security Standards for the Protection of Electronic Protected Health
Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security
Rules). (45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, you
allege that on August 2013, you went to the CVS Pharmacy for a prescription pickup and
while waiting in the pharmacy drive thru, your protected health information (PHI) was spoken
where other patients could hear. This allegation could re?ect a violation of 45 C.F.R. 
164.502(a) and 

Thank you for bringing this matter to attention. Your complaint plays an integral part in
enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal
civil rights laws which prohibit discrimination in the delivery of health and human services
because of race, color, national origin, disability, age, and under certain circumstances, sex and
religion.

The Privacy Rule permits certain incidental uses and disclosures of protected health information
(PHI) that occur as a by-product of another permissible or required use or disclosure of PHI, as
long as the covered entity has applied reasonable safeguards and implemented the minimum
necessary standard, where applicable, with respect to the primary use or disclosure. See 45
CPR. For example, the Privacy Rule permits covered health care providers
to share PHI for treatment purposes without patient authorization as long as they use reasonable
safeguards when doing so. These safeguards may vary depending on the mode of
communication used. For example, when discussing patient health information orally with
another provider in proximity of others, a doctor may be able to reasonably safeguard the
information by lowering his/her voice.

We have carefully reviewed your complaint against CVS Pharmacy, and have determined to
resolve this matter informally through the provision of technical assistance to CVS Pharmacy.
Should OCR receive a similar allegation of noncompliance against CVS Pharmacy in the ?Jture,
OCR may initiate a formal investigation of that matter.

 

 

 

 



 

 

 

Page 2 of 2

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of lnfonnation Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Vaniecy Nwigwe, at 214-76?-
4054 (Voice) or 2 111?767-8940 (TDD).

Sincerely,

 

 

 

femurk

e-

1
DEPARTMENT OF HEALTH HUMAN SERVICES OFFICE OF THE SECRETARY
Ta Voice - (214) tor-4055. (soc) 363-1019 Top - (214:: ?6??394El
(FAX) - {214} FIST-0432 Office for Civil Rights, Region VI
mm 130] Young Street, Suite 1169

Dallas, TX "5202
SEP IS 2013 

CVS Pharmacy

Ann: Privacy Of?cer
One CV5 Drive
Woonsocket, RI 02395

Re: OCR Transaction Number: 13-166142

Re: CVS Pharmacy
Attn: Privacy Of?cer
8024 Walnut Hill Lane
Dallas, TX 75231

Dear Privacy Of?cer:

On August 23, 2013, the US. Department of Health and Human Services Of?ce for Civil Rights
(OCR), Region VI received a complaint alleging that a workforce member at CVS Pharmacy, the covered
entity, has violated the Federal Standards for Privacy of individually Identi?able Health Information
andlor the Security Standards for the Protection of Electronic Protected Health Information (45 CPR,
Parts 160 and 164, Subparts A, C, and E, the Privacy and Security Rules . 45 CPR. Parts 160 and 164,
Subpans A and E, the Privacy Rule). Speci?cally, the complainant, alleges that on August
27, 2013, his protected health information (PHI) was spoken in a drive thru where other patients could
heat. This allegation could re?ect a violation of 45 CPR. 164.502ia} and 164.53 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race, color,
national origin, disability, age, and under certain circumstances, sea and religion.

The Privacy Rule permits certain incidental uses and disclosures of protected health information (PHI)
that occur as a by-product of another permissible or required use or disclosure of PHI, as long as the
covered entity has applied reasonable safeguards and implemented the minimum necessary standard,
where applicable, with respect to the primary use or disclosure. See 45 CPR. For
example, the Privacy Rule permits covered health care providers to share PHI for treatment purposes
without patient authorization as long as they use reasonable safeguards when doing so. These safeguards
may vary depending on the mode of communication used. For example, when discussing patient health
information orally with another provider in proximity of others, a doctor may be able to reasonably
safeguard the information by lowering hisfher voice.

in this matter, the complainant alleges the incidental use or disclosure of PHI was not permissible, either
because reasonable safeguards were not in place to prevent the use or disclosure audior because the
minimum necessary standard was not implemented when it should have been. Pursuant to its authority
under 45 C.F.R. 160.304(a) and OCR has determined to resolve this matter informally through
the provision of technical assistance to the CVS Pharmacy. To that end, OCR has enclosed
material explaining the Privacy Rule

 

CVS Pharmacy
Page 2 of 2

provisions related to Incidental Uses and Disclosures, Reasonable Safeguards, and the Minimum
Necessary requirement.

You are encouraged to review these materials closely and to share them with your staff as part of
the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your
workforce. You are also encouraged to assess and determine whether there may have been an
incident of noncompliance as alleged by the complainant in this matter, and, if so, to take the
steps necessary to ensure such noncompliance does not occur in the future. Please contact OCR
if you need further information regarding the allegations in this matter. Should OCR receive a
similar allegation of noncompliance against the CVS Pharmacy in the future, OCR may initiate a
formal investigation of that matter.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request,
we will make every effort, as permitted by law, to protect information that identi?es individuals
or that, if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions regarding this matter, please contact Vaniecy Nwigwe, at 214-767-
4054 (Voice) or 214-767-8940 (TDD). .

Sincerely,

 

egional Manager

Enclosures: Incidental Disclosures
Reasonable Safeguards
Minimum Necessary