CVS PHARMACY NOTICE OF PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
This Notice of Privacy Practices (the Notice) describes the privacy practices of CVS Pharmacy®, Inc. (CVS). In this Notice, we may also refer to CVS, we, us or our. It also applies to the members of its Affiliated Covered Entity (CVS ACE). This is a group of covered entities and health care providers we own or control. They designate themselves as a single entity to comply with the Health Insurance Portability and Accountability Act ("HIPAA"). The members of the CVS ACE can share Protected Health Information (PHI) with each other. We do this for the treatment, payment and health care operations of the CVS ACE and as allowed by HIPAA and this Notice. For a complete list of the members of the CVS ACE, contact the CVS Privacy Office.
By law, we must protect your PHI. We must provide you with this Notice explaining our legal duties and privacy practices for your PHI. This Notice describes how we may use and disclose your PHI. We provide you with some examples, but we don’t spell out every allowable use or disclosure in this Notice. This Notice also describes your rights and what we must do to use and disclose your PHI. We, and our employees and workforce members, must follow the terms of this Notice and any changes we make to it.
We must follow state privacy laws that are stricter (or more protective of your PHI) than federal law. Some types of sensitive PHI may require even more privacy protections under state or federal law. These may include HIV information, genetic details, alcohol and/or substance abuse records and mental health records. If you would like more information on protections in your state, contact the CVS Privacy Office. You can also contact that office to learn more about use or disclosure restrictions for sensitive PHI.
Explaining Protected Health Information (PHI)
PHI is information about you that we need to provide our services to you, and that may be used to identify you. It includes your name and contact information. It also includes information about your health, medical conditions and prescriptions. It may also relate to your:
How we may use and share your PHI
We may use and share your PHI for varied reasons. For instance:
Treatment: We may use and disclose your PHI to provide and help you get the treatment, medication, and services you receive. For example, we may:
Payment: We may use and share your PHI to obtain payment for the services we provide to you and for other payment activities related to the services we provide. For example, we may:
Health care operations: We may use and share your PHI for our health care operations. Those are activities we need to do to carry out our health care business. For example, we may:
Other uses and disclosures of your PHI that don’t require your approval
We are also allowed or required to use or share your PHI without your okay in other situations, including:
Business associates: We may allow access to those who provide services to us and assure us they will protect the information. For example, third parties who perform billing or consulting services. They are required by law and their agreements with us to protect your PHI in the same way we do.
People involved in your care or for payment of it: We may share your PHI with certain people who are involved in your care or the payment of it. This may include a friend, personal representative, family member or any other person you identify as a caregiver. For example, we may provide prescriptions and related information to your caregiver on your behalf. We may also make these disclosures after your death unless you’ve expressly told us not to do so. Upon your death, we may disclose your PHI to a person allowed by law to act for your estate. If you are a minor, we may release your PHI to your parents or legal guardians when permitted or required by law
Workers' compensation: We may share your PHI to comply with workers’ compensation laws or similar programs.
Law enforcement: We may share your PHI with law enforcement officials as permitted or required by law. For example, we may share your PHI to report certain injuries or to report criminal conduct that happens on our premises. Also, we may share it in response to a court order, subpoena, warrant or similar written request from law enforcement.
Required by law: We will share your PHI to comply with federal, state or local law.
Judicial and administrative proceedings: We may share your PHI in response to a court or administrative order, subpoena, discovery request or other lawful process.
Public health and safety purposes: We may share your PHI in certain situations to help with public health and safety issues. For example, to:
Health oversight activities: We may share your PHI to an oversight agency for certain activities, including:
Research: Under certain circumstances, we may use or disclose your PHI for research purposes. For example, we may use or disclose your PHI as part of a research study when the research has been approved by an institutional review board and there is an established protocol to ensure the privacy of your information.
Coroners, medical examiners and funeral directors: We may share your PHI to these entities so they may carry out their duties.
Organ or tissue donation: We may share your PHI to organ procurement organizations.
Notification: We may use or share your PHI to notify or to help to notify a family member or any other person responsible for your care about your location, general condition or death. We may also disclose your PHI to disaster relief groups so that your family or others responsible for your care can learn of your location, general condition or death.
Correctional institution: We may share your PHI to a correctional institution or its agents if you are or become an inmate. This is to help them provide your health care, and protect your health and safety, and that of others.
Specialized government functions and Military: We may share your PHI to authorized federal officials for the conduct of military, national security activities, and other specialized government functions. If you are a member of the U.S. armed forces or the foreign military, we may disclose your PHI for activities deemed necessary by appropriate command authorities or under the law.
Uses or disclosures that require your approval
In some situations, we may only use and share your PHI when you say it’s okay in writing to use or disclose your PHI. For example, without it, we won't:
We will need your written approval before using or disclosing your PHI for purposes other than those described in this Notice or permitted by law. You may revoke your approval anytime. Just send a written notice to the CVS Privacy Office. Your revocation will be effective upon receipt. But it will not undo any use or sharing of your PHI that has already happened based on your permission.
Your health information rights
Written requests and other information: You may ask for more information about our privacy practices, or obtain forms for submitting written requests. Just contact the CVS Privacy Officer
Obtain a copy of the Notice: You have the right to a paper copy of our current Notice anytime. You may do so by going to the site where you obtain health care services from us. You can also contact the CVS Privacy Office.
Inspect and obtain a copy of your PHI: With a few exceptions, you have the right to see and get a copy of the PHI we have about you.
To inspect or get a copy of your PHI, send a written request to the CVS Privacy Office. You may also ask us to provide a copy of your PHI to someone else. We may charge a reasonable fee for this. HIPAA and/or state law allows this fee.
We may deny your request to inspect and copy your record in certain cases. If we do, we will notify you in writing. We will let you know if you may request a review of the denial.
Request a change: If you feel the PHI we have about you is wrong or incomplete, you may ask us to fix it. For example, if your date of birth is incorrect, you may ask us to correct it.
Send a written request to the CVS Privacy Office. You must include a reason for your request. If we deny your request, we will explain in writing why we did so.
Receive a report of disclosures: You have the right to ask for a list of certain disclosures we make of your PHI for purposes other than treatment, payment or health care operations. This is called an "accounting." (Note certain other disclosures are not required in the report we give to you.)
To get a list of the disclosures, send a written request to the CVS Privacy Office. We will provide one report every 12 months free of charge. But we may charge you for the cost of any other reports. We will notify you in advance of the cost. You may withdraw or modify your request at that time.
Request a restriction on certain uses and disclosures: You have the right to ask for limits on the way we use or share your PHI. Just send a written request to the CVS Privacy Office.
We aren’t required to agree to your request except where the disclosure:
If you don’t want a claim sent to your health plan, talk to your pharmacist or health care provider when you check in for care or before your prescription is sent to the pharmacy.
Request confidential communications: You have the right to request that we communicate with you in a certain way or at a certain location. For example, you may ask that we contact you only in writing at a specific address.
To request confidential communication of your PHI, send a written request to the CVS Privacy Office. Your request must state how, where or when you would like us to contact you. We will accommodate all reasonable requests.
Notification of breach: You have a right to know if there is a breach of your unsecured PHI, as defined by HIPAA.
To report a problem
Complaints: If you believe your privacy rights were violated, you can file a complaint with the:
Submit all complaints in writing. We won’t penalize you or retaliate against you in any way if you file a complaint.
Changes to this Notice
We may change the terms of this Notice and our privacy policies anytime. If we do, the new terms and policies will be effective for all the information we now have about you. And they’ll apply to any information that we may get or hold in the future.
If we make material or important changes to our privacy practices, we will promptly revise our Notice.
You can ask for a copy of the revised Notice, just ask the CVS Privacy Office.
We will also post the revised Notice in our retail stores and on our website. Go to CVS.com/PatientPrivacy. There will also be copies at our sites and locations where you receive health care products and services from us.
Effective Date. This Notice is effective as of 07/16/2017. It was updated on 02/22/2022