Regarding the news below about CVS-Caremark sharing patient information.
My friend is a “Compliance Officer” at a major hospital in a large US city. A pharmacist who became a “suit”. This is what he shared regarding the post below. ”Will This Ever End?”
CVS Caremark Customers Beware
If you are a CVS Caremark customer, be on the lookout for anti-consumer practices identified by five respected consumeCaremark’s harm to consumers. Examples includr groups who recently asked the Federal Trade Commission to unwind Corp. merger. In an April 14, 2011 letter, they say there is “strong evidence” of CVSthe CVS Caremark
My friend clearly states that CVS-Caremark violates HIPAA regulations.
All HIPAA & Privacy issues are only handled by the Office of Civil Rights & are only complaint driven. CMS just finished scolding Civil Rights for lack of agressive pursuit & fines. Expect to see more action in the near future because of this scathing report, maybe even unannounced audits of healthcare organizations both IP & OP. I just wrapped up a case that took us 13 months of activity & although there was no justification we decided to settle for $1000 before she put us through the entire appeal process & another year of legal expense. Grifters are catching on that this can make you an easy mark.
From HHS website
How To File a Complaint
If you believe that a covered entity violated your (or someone else’s) health information privacy rights or committed another violation of the Privacy or Security Rule, you may file a complaint with OCR. OCR can investigate complaints against covered entities.
COVERED ENTITIES - A covered entity is a health plan, health care clearinghouse, and any health care provider that conducts certain health care transactions electronically. For more information, please review our Understanding Health Information Privacy section or look at our responses to Frequently Asked Questions (FAQs) on our web site.
COMPLAINT REQUIREMENTS - Your complaint must:
- Be filed in writing, either on paper or electronically, by mail, fax, or e-mail;
- Name the covered entity involved and describe the acts or omissions you believe violated the requirements of the Privacy or Security Rule; and
- Be filed within 180 days of when you knew that the act or omission complained of occurred. OCR may extend the 180-day period if you can show “good cause.”
ANYONE CAN FILE! - Anyone can file a complaint alleging a violation of the Privacy or Security Rule. We recommend that you use the OCR Health Information Privacy Complaint Form Package. You can also request a copy of this form from an OCR regional office. If you need help filing a complaint or have a question about the complaint or consent forms, please e-mail OCR at OCRMail@hhs.gov.
HIPAA PROHIBITS RETALIATION - Under HIPAA an entity cannot retaliate against you for filing a complaint. You should notify OCR immediately in the event of any retaliatory action.
HOW TO SUBMIT YOUR COMPLAINT – To submit a complaint, please use one of the following methods.
If you mail or fax the complaint, be sure to send it to the appropriate OCR regional office based on where the alleged violation took place. OCR has ten regional offices, and each regional office covers specific states. Send your complaint to the attention of the OCR Regional Manager. You do not need to sign the complaint and consent forms when you submit them by e-mail because submission by e-mail represents your signature.