?fmuog DEPARTMENT OF HEALTH HUMAN SERVICES ?"19 Seam
e'
i Voice - (214) rat-ease. (soc) ass-1019 Of?ce for Civi Rights. Region vl
'5 TDD - {214) TBT-8940. (300)537-7159?



Fox - {214] 7610432


Dallas, TX 75202

DECWZIJIS

CVS Caremark Privacy Of?ce
ATTN: Privacy Of?cer

One CVS Dr.

Woonsocket, RI 02895

Our Transaction Number: 14-169173
Dear Privacy Of?cer:

On October 24, 2013, the US. Department of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), received a complaint alleging that CVS Pharmacy in Saginaw, Texas, the
covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health
Information andfor the Security Standards for the Protection of Electronic Protected Health
Information (45 CFR. Parts .160 and 164, Subparts A, C, and E, the Privacy and Security
Rules). Speci?cally, the complainant, alleges that, on October 23, 2013 while
picking up a prescription, the clerics discussed his protected health information within hearing
distance of others that did not have a need to lorow. This allegation could re?ect a violation of
45 C.F.R. 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sex and religion.

In this matter, the complainant alleges that the covered entity does not employ reasonable
safeguards to prevent impermissible disclosures of protected health information (PHI). A
covered entity must maintain reasonable and appropriate administrative, technical, and physical
safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the
Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or
required use or disclosure. 45 C.F.R. 

Pursuant to its authority under 45 C.F.R. and OCR has determined to resolve
this matter informally through the provision of technical assistance to CVS Pharmacy. To that
end, OCR has enclosed material explaining the Privacy Rule provisions related to Reasonable
Safeguards.

You are encouraged to review these materials closely and to share them with your staff as part of
the Health Insurance Portability and Accountability Act (HIPAA) training you provide to your
workforce. You are also encouraged to assess and determine whether there may have been any
noncompliance as alleged by the complainant in this matter, and, if so, to take the steps
necessary to ensure such noncompliance does not occur in the future. In addition, OCR
encourages you to review the facts of this individual?s complaint and provide the individual the
appropriate written response swiftly if necessary to comply with the requirements of the Privacy

1301 Young Street, Suite 1169

 

 

Rule. Should OCR receive a similar allegation of noncompliance against CVS Pharmacy in the
future, OCR may initiate a formal investigation of that matter. In addition, please note that, after
a period of six months has passed, OCR may initiate and conduce a compliance review of CVS
Pharmacy related to your compliance with the Privacy Rules provisions related to Reasonable
Safeguards.

Based on the foregoing, OCR is closing this case without ?nther action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect information that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
pnvacy.

If you have any questions regarding this matter, please contact Debbie Campos, Investigator, at
(214) 767-3595 (Voice) or (214) 767-8940, (800) 537-769? (TDD).

Sincerely,

 

Enclosure: Reasonable Safeguards

 

Reasonable Safeguards
45 C.F.R. 164.530 

A covered entity must have in place appropriate administrative, technical, and physical
safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as
that limit incidental uses or disclosures. See 45 CPR. ?164.530 It is not expected that a
covered entity?s safeguards guarantee the privacy of protected health information from any and
all potential risks. Reasonable safeguards will vary from covered entity to covered entity
depending on factors, such as the size of the covered entity and the nature of its business. In
implementing reasonable safeguards, covered entities should analyze their own needs and
circumstances, such as the nature of the protected health information it holds, and assess the
potential risks to patients? privacy. Covered entities should also take into account the potential
effects on patient care and may consider other issues, such as the ?nancial and administrative
burden of implementing particular safeguards.

Many health care providers and professionals have long made it a practice to ensure reasonable
safeguards for individuals? health information for instance:

a By speaking quietly when discussing a patient?s condition with family members in a
waiting room or other public area;

0 By avoiding using patients? names in public hallways and elevators, and posting signs to
remind employees to protect patient con?dentiality;

By isolating or looking ?le cabinets or records rooms; or

By providing additional security, such as passwords, on computers maintaining personal
information.

Protection of patient con?dentiality is an important practice for many health care and health
information management professionals; covered entities can build upon those codes of conduct
to develop the reasonable safeguards required by the Privacy Rule.

 

0? entry.



DEPARTMENT OF HEALTH HUMAN SERVICES W33 0? ?19 

 

Voice - {214) 767-4056. (300) 3631019
TDD - 787-3940, {300) ear-res?
Fax - {214] 767-0432

at

Dallas. 
.hhs. ovt 

 

 



ECHIZGIS

 

 

Our Transaction Number?. [4-1691 78

Dear teeters

On October 24 2013, the US. Departrnent of Health and Human Services (HHS), Of?ce for
Civil Rights (OCR), received your complaint alleging that CVS Pharmacy in Saginaw, Texas,
the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able
Health Information andfor the Security Standards for the Protection of Electronic Protected
Health Information (45 C.F.R. Parts 160 and 164, Subparts A, C, and E, the Privacy and Security
Rules). Speci?cally, you allege that, on October 24, 2013, while picking up a prescription, the
clerks discussed your protected health information within hearing distance of others that did not
have a need to know. This allegation could re?ect a violation of 45 C.F.R. 164.53 

Thank you for bringing this matter to attention. Your complaint is an integral part of
OCR's enforcement efforts.

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also Federal civil rights
laws which prohibit discrimination in the delivery of health and human services because of race,
color, national origin, disability, age, and under certain circumstances, sea and religion.

A covered entity must maintain reasonable and appropriate administrative, technical, and
physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation
of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted
or required use or disclosure. 45 GER. For example, such safeguards might
include shredding documents containing protected health information before discarding them,
securing medical records with lock and key or pass code and limiting access to keys or pass
codes.

We have carefully reviewed your complaint against CVS Pharmacy and have determined to
resolve this matter informally through the provision of technical assistance to CVS Pharmacy.
Should OCR receive a similar allegation of noncompliance against CVS Pharmacy in the future,
OCR may initiate a formal investigation of that matter.

For your informational purposes, OCR has enclosed material regarding the Privacy Rule
provisions related to Safeguards.

Of?ce for Civil Higits, Region VI
1301 Young Street. Suite 1169

 

 

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this
complaint that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a
request, we will make every effort, as permitted by law, to protect rinformation that identi?es
individuals or that, if released, could constitute a clearly unwarranted invasion of personal
privacy.

If you have an},r questions regarding this matter, please contact Debbie Campos, Investigator, at
(214) 767-3595 (Voice) or (214) 767-8940, (800) 

Sincerely,

 

Enclosure: Reasonable Safeguards

 

Reasonable Safeguards
45 C.F.R. 164.530 

A covered entity must have in place appropriate administrative, technical, and physical
safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as
that limit incidental uses or disclosures. See 45 C.F.R. ?164.530 It is not expected that a
covered entity?s safeguards guarantee the privacy of protected health information from any and
all potential risks. Reasonable safeguards will vary from covered entity to covered entity
depending on factors, such as the size of the covered entity and the nature of its business. In
implementing reasonable safeguards, covered entities should analyze their own needs and
circumstances, such as the nature of the protected health information it holds, and assess the
potential risks to patients? privacy. Covered entities should also take into account the potential
effects on patient care and may consider other issues, such as the financial and administrative
burden of implementing particular safeguards.

Many health care providers and professionals have long made it a practice to ensure reasonable
safeguards for individuals? health information for instance:

0 By speaking quietly when discussing a patient?s condition with family members in a
waiting room or other public area;

By avoiding using patients? names in public hallways and elevators, and posting signs to
remind employees to protect patient con?dentiality",

- By isolating or locking ?le cabinets or records rooms; or

By providing additional security, such as passwords, on computers maintaining personal
information.

Protection of patient con?dentiality is an important practice for many health care and health
information management professionals; covered entities can build upon those codes of conduct
to develop the reasonable safeguards required by the Privacy Rule.