?iv
DEPARTMENT OF HEALTH 8; HUMAN SERVICES OFFICE OF THE SECRETARY

O1 

votes- (214} 767-4055, Too . (214) rat-sacs
(214) rot-c432 Of?ce for Civil Rights, Region VI
1301 Young Street, Suite 1169
Dallas, TX 75202
JUL 1 6 2011:


 

 

 

 

Our Transaction Number: 14-185006

 



 

 

 

On May 29, 2014, the US. Department of Health and Human Services (HHS), Of?ce for Civil
Rights (OCR), Region VI received your complaint alleging that CV Caremark in San Antonio, TX,
the covered entity, has violated the Federal Standards for Privacy of Individually Identi?able Health
Information [45 C.F.R. Parts 160 and 164, Subparts A and E, the Privacy Rule). Sseci?cally, you
allege that, on May 29, 2014, CVS Caremark incorrectly mailedliblialxibliilicl prescription to
your home. You also stated that your attempts to resolve the issue were unsuccess?il. This allegation
could re?ect a violation of 45 CPR. ?164.502(a) and 

 

Thank you for bringing this matter to attention. Your complaint plays an integral part in
enforcement efforts.

OCR enforces the Privacy, Security, and Breach Notification Rules, and also enforces Federal civil
rights laws which prohibit discrimination in the delivery of health and human services because of
race, color, national origin, disability, age, and under certain circumstances, sex and religion.

The Privacy Rule allows health care providers and health plans to share protected health information
(PHI) for permitted purposes using the mail or fan, as long as they use reasonable and appropriate
administrative, technical, and physical safeguards to protect the privacy of the PHI. See 45 CPR. 
These safeguards may vary depending on the mode of communication used. For
example, when faxing PHI to a telephone number that is not used regularly, a reasonable safeguard
may involve a covered entity ?rst con?nning the fax number with the intended recipient of the fax.

We have care?illy reviewed your complaint against CVS Careka and have determined to resolve
this matter informally through the provision of technical assistance. Should OCR receive a similar
allegation of noncompliance against CVS Careka in the future, OCR may initiate a formal
investigation of that matter.

Based on the foregoing, OCR is closing this case without further action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this complaint
that were reviewed by OCR.

Under the Freedom of [nfonnation Act, we may be required to release this letter and other
information about this case upon request by the public. I11 the event OCR receives such a request, we

will make every effort, as permitted by law, to protect information that identi?es individuals or that,
if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please do not hesitate to contact Karen Buckner, Investigator, at 214-767-
4510 (Voice), 214-767-8940 (TDD).

Sincerely,



Jorge A. Lozano
Regional Manager

May a physician?s of?ce or health plan use mail or fax to send patient medical information?

Yes. Where the Privacy Rule allows covered health care providers, health plans, or health care
clearinghouses to share protected health information with another organization or with the
individual, they may use a variety of means to deliver the information, as long as they use reasonable
safeguards when doing so. When the communications are in writing, the patient information may be
sent by mail, fax, or other means of reliable delivery.

The Privacy Rule requires that covered entities apply reasonable safeguards when making these
communications to protect the patient information from inappropriate use or disclosure to
unauthorized persons. These safeguards will vary depending on the mode of communication used.
For example, when mailing patient information, reasonable safeguards would include checking to
see that the name and address of the recipient are correct and current and that only the minimum
amount of patient information is showing on the outside of the envelope to ensure proper delivery to
the intended recipient. When faxing protected health information to a telephone number that is not
regularly used, a reasonable safeguard would include ?rst continuing the fax number with the
intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly
into the fax machine to avoid misdirecting the information to someone who is not the intended
recipient.

The following checklists provide guidance on reasonable safeguards that a covered health care
provider, health plan, or health care clearinghouse may put in place to protect patient information
from being impermissiny disclosed during (1) mailing and (2) faxing. See 45
C.F.R. 

MAILING CHECKLIST

 

Carefully check name and address of intended recipient. Many names are similar; make sure
you have the correct name for the intended recipient on the envelope.
Make sure the address on the envelope matches the correct address of the intended recipient.

 

El Carefully check the contents of the envelope before sealing. Make sure the contents may be
pennissibly disclosed to the intended recipient or properly relate to the individual. Check all
pages to make sure records or material related to other individuals are not mistakenly included
in the envelope.

 

Check the information showing on the outside of the envelope or through the address window.
Make sure identifying information that is not necessary to ensure proper delivery is not
disclosed.

 

When doing mass mailings, do a test run to ensure the system is properly performing and check
at least a sample of the mailings for the accuracy of name and address of the intended recipients
and the correct contents, as indicated above, before sending.

 

Have policies and procedures in place to safeguard protected health information that is mailed,
including processes to act on (1) name and address changes to ensure corrections are
made in all the relevant records; and (2) reports of misdirected mail to identify the cause and
take steps to prevent future incidents.

 

 

 

I: Train staff on the mailing procedures that your organization has put in place to safeguard

 

 

 

 

 

protected health information during mailing. Update the training periodically and be sure to
train new staff.

 

FAXING CHECKLIST

 

Carefully check the fax number to make sure you have the correct number for the intended
recipient. When manually entering the number, check to see that it has been entered correctly
before sending.

 

Con?rm fax number with the intended recipient when faxing to this party for the ?rst time or if
the fax number is not regularly used.

 

Program regularly used numbers into fax machines. Check to make sure you are selecting the
preprogrammed number for the correct party before sending.

 

Update fax numbers upon receipt of noti?cation of correction or change. Have
procedures for deleting outdated or unused numbers which are preprogramrned into the fax
machine.

 

Locate fax machines in areas where access can be monitored and controlled and avoid leaving
patient information on fax machines after sending.

 

Have policies and procedures in place to safeguard protected health information that is faxed,
including processes to act on (1) changes in fax numbers to ensure corrections are
made in all the relevant records; and (2) reports of a misdirected fax to identify the cause and
take steps to prevent future incidents, including revising the organization?s policies and
procedures.

 

 

 

Train sta? on the policies and procedures for the proper use of fax machines that your
organization has put in place to safeguard protected health information during faxing. Update
the training periodically and be sure to train new staff.

 

 

 

h-

 


all OF HEALTH 8: HUMAN SERVICES OFFICE OF THE SECRETARY
a; Voice 4214] rat-405a (ace) ass-1019 Too - (214) rev-saw 
{Fax} - {214) rar-ooaz Office for Civil Rights, Region VI
Man 1301 Young Street, Suite 1169
Dallas, TX 75202
JUL 1 2014

CVS Caremark

Attn: Chief Privacy Of?cer

One CVS Drive

Woonsocket, RI 02895

Our Transaction Number: 14-185006
Dear Chief Privacy O??cer:

On May 29, 2014, the US. Department of Health and Human Services (HHS), Office for Civil
Rights (OCR), Region VI received a complaint alleging that CVS Caremark, the covered entity, has
violated the Federal Standards for Privacy of Individually Identi?able Health Infonnation (45 C.F.R.
Parts 160 and 164, Subparts A and E, the Privacy Rule). Speci?cally, the complainant alleges that,
on May 29, 2014, a CVS Caremarlc workforce member mailed Iibl?libliilicl protected health
information to I address. This allegation could re?ect a violation of 45
can. 164.502(a) and 

 

 

 

OCR enforces the Privacy, Security, and Breach Noti?cation Rules, and also enforces Federal civil
rights laws which prohibit discrimination in the delivery of health and human services because of
race, color, national origin, disability, age, and under certain circumstances, sex and religion.

Generally, the Privacy Rule permits a covered entity to make disclosures of protected health
information (PHI) for a permitted purpose, through a variety of means, such as by mail or facsimile
machine, as long as the covered entity, when doing so, uses reasonable and appropriate
administrative, technical, and physical safeguards to protect the privacy of the PHI. See 45 
These safeguards may vary depending on the mode of communication used. For
example, when faxing PHI to a telephone number that is not used regularly, a reasonable safeguard
may involve a covered entity first con?rming the fax munber with the intended recipient of the fax.

In this matter, the complainant alleges that PHI was impennissibly disclosed either through the mail
or by fax. Pursuant to its authority under 45 C.F.R. 160.304(a) and OCR has determined to
resolve this matter informally through the provision of technical assistance to CVS Caremark. To
that end, OCR has enclosed a checklist of reminders on how to safely use the mail or fax machines
when sending PHI.

You are encouraged to review these materials closely and to share them with your staff as part of the
Health Insurance Portability and Accountability Act training you provide to your
workforce. You are also encouraged to assess and determine whether there may have been an
incident of noncompliance as alleged by the complainant in this matter, and, if so, to take the steps
necessary to ensure such noncompliance does not occur in the ?rture. Please contact OCR if you
need further information regarding the allegations in this matter. Should OCR receive a similar

allegation of noncompliance against CVS Caremark in the future, OCR may initiate a formal
investigation of that matter.

Based on the foregoing, OCR is closing this case without ?it'ther action, effective the date of this
letter. determination as stated in this letter applies only to the allegations in this complaint
that were reviewed by OCR.

Under the Freedom of Information Act, we may be required to release this letter and other
information about this case upon request by the public. In the event OCR receives such a request, we
will make every effort, as permitted by law, to protect information that identi?es individuals or that,
if released, could constitute a clearly unwarranted invasion of personal privacy.

If you have any questions, please do not hesitate to contact Karen Buckner, Investigator, at 214-767-
4510 (Voice), 214-767-8940 (TDD).

Sincerely,



Jorge A. Lozano 
Regional Manager
Region VI

Enclosure: Checklist

May a physician?s of?ce or health plan use mail or fax to send patient medical information?

Yes. Where the Privacy Rule allows covered health care providers, health plans, or health care
clearinghouses to share protected health information with another organization or with the
individual, they may use a variety of means to deliver the information, as long as they use reasonable
safeguards when doing so. When the communications are in writing, the patient information may be
sent by mail, fax, or other means of reliable delivery.

The Privacy Rule requires that covered entities apply reasonable safeguards when making these
communications to protect the patient information from inappropriate use or disclosure to
unauthorized persons. These safeguards will vary depending on the mode of communication used.
For example, when mailing patient information, reasonable safeguards would include checking to
see that the name and address of the recipient are correct and current and that only the minimum
amount of patient information is showing on the outside of the envelope to ensure proper delivery to
the intended recipient. When faxing protected health information to a telephone number that is not
regularly used, a reasonable safeguard would include ?rst continuing the fax number with the
intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly
into the fax machine to avoid misdirecting the information to someone who is not the intended
recipient.

The following checklists provide guidance on reasonable safeguards that a covered health care
provider, health plan, or health care clearinghouse may put in place to protect patient information
from being impennissibly disclosed during (1) mailing and (2) faxing. See 45
C.F.R. 

MAILING CHECKLIST

 

Carefully check name and address of intended recipient. Many names are similar; make sure
you have the correct name for the intended recipient on the envelope.
Make sure the address on the envelope matches the correct address of the intended recipient.

 

El Carefully check the contents of the envelope before sealing. Make sure the contents may be
permissiny disclosed to the intended recipient or properly relate to the individual. Check all
pages to make sure records or material related to other individuals are not mistakenly included
in the envelope.

 

El Check the information showing on the outside of the envelope or through the address window.
Make sure information that is not necessary to ensure proper delivery is not
disclosed.

 

When doing mass mailings, do a test run to ensure the system is properly performing and check
at least a sample of the mailings for the accuracy of name and address of the intended recipients
and the correct contents, as indicated above, before sending.

 

El Have policies and procedures in place to safeguard protected health information that is mailed,
including processes to act on (1) name and address changes to ensure corrections are
made in all the relevant records; and (2) reports of misdirected mail to identify the cause and
take steps to prevent ?lture incidents.

 

 

 

Train staff on the mailing procedures that your organization has put in place to safeguard

 

 

 

 

 

protected health information during mailing. Update the training periodically and be sure to
train new staff.

 

FAXING CHECKLIST

 

Care?illy check the fax number to make sure you have the correct number for the intended
recipient. When manually entering the number, check to see that it has been entered correctly
before sending.

 

Con?rm fax number with the intended recipient when faxing to this party for the ?rst time or if
the fax number is not regularly used.

 

Program regularly used numbers into fax machines. Check to make sure you are selecting the
preprogramrned number for the correct party before sending.

 

Update fax numbers upon receipt of noti?cation of correction or change. Have
procedures for deleting outdated or unused numbers which are preprogrammed into the fax
machine.

 

Locate fax machines in areas where access can be monitored and controlled and avoid leaving
patient information on fax machines after sending.

 

Have policies and procedures in place to safeguard protected health information that is faxed,
including processes to act on (1) changes in fax numbers to ensure corrections are
made in all the relevant records; and (2) reports of a misdirected fax to identify the cause and
take steps to prevent future incidents, including revising the organization?s policies and
procedures.

 

 

 

Train staff on the policies and procedures for the preper use of fax machines that your
organization has put in place to safeguard protected health information during faxing. Update
the training periodically and be sure to train new staff.