Skip to main content



This Notice of Privacy Practices (the Notice) describes the privacy practices of CVS Pharmacy®, Inc. (CVS). In this Notice, we may also refer to CVS, we, us or our. It also applies to the members of its Affiliated Covered Entity (CVS ACE). This is a group of covered entities and health care providers we own or control. They designate themselves as a single entity to comply with the Health Insurance Portability and Accountability Act ("HIPAA"). The members of the CVS ACE can share Protected Health Information (PHI) with each other. We do this for the treatment, payment and health care operations of the CVS ACE and as allowed by HIPAA and this Notice. For a complete list of the members of the CVS ACE, contact the CVS Privacy Office.

By law, we must protect your PHI. We must provide you with this Notice explaining our legal duties and privacy practices for your PHI. This Notice describes how we may use and disclose your PHI. We provide you with some examples, but we don’t spell out every allowable use or disclosure in this Notice. This Notice also describes your rights and what we must do to use and disclose your PHI. We, and our employees and workforce members, must follow the terms of this Notice and any changes we make to it.

We must follow state privacy laws that are stricter (or more protective of your PHI) than federal law. Some types of sensitive PHI may require even more privacy protections under state or federal law. These may include HIV information, genetic details, alcohol and/or substance abuse records and mental health records. If you would like more information on protections in your state, contact the CVS Privacy Office. You can also contact that office to learn more about use or disclosure restrictions for sensitive PHI.

Explaining Protected Health Information (PHI)

PHI is information about you that we need to provide our services to you, and that may be used to identify you. It includes your name and contact information. It also includes information about your health, medical conditions and prescriptions. It may also relate to your:

  • Past, present or future physical or mental health or condition
  • Provision of health care products and services to you
  • Payment for such products or services

How we may use and share your PHI

We may use and share your PHI for varied reasons. For instance:

Treatment: We may use and disclose your PHI to provide and help you get the treatment, medication, and services you receive. For example, we may:

  • Share your PHI with other parties (such as pharmacies, doctors, hospitals or other health care providers) to help them provide care to you or coordinate your care. In some cases, uses and disclosures of your PHI may be made through a Health Information Exchange or other shared system.
  • Contact you to offer services related to your treatment. These may include:
    • Reminders to refill your medicine
    • Suggestions for other treatment options (such as generic medicines)
    • Messages that urge you to take your medicine and follow your doctor's advice

Payment: We may use and share your PHI to obtain payment for the services we provide to you and for other payment activities related to the services we provide. For example, we may:

  • Share your PHI with your insurer, pharmacy benefit manager, or other health care payor to determine whether it will pay for your health care products and services. This also may tell us how much you may owe.
  • Contact you about a payment or balance due for prescriptions you get from us.
  • Share your PHI to other health care providers, health plans or other HIPAA Covered Entities who may need it for their payment purposes.

Health care operations: We may use and share your PHI for our health care operations. Those are activities we need to do to carry out our health care business. For example, we may:

  • Use and share your PHI to monitor the quality of our health care services, provide customer services to you, resolve complaints and coordinate your care.
  • Transfer or receive your PHI if we buy or sell pharmacy locations.
  • Use and share your PHI to contact you about health-related products and programs. Or to tell you about things we think may interest you, such as programs for CVS patients.
  • Share your PHI with other HIPAA Covered Entities that have provided services to you. We do this so they can improve the quality and value of the health care services they provide or for their health care operations.
  • Use your PHI to create de-identified data. This is data that no longer identifies you. We may use it or share it for analytics, business planning or other reasons.

Other uses and disclosures of your PHI that don’t require your approval

We are also allowed or required to use or share your PHI without your okay in other situations, including:

Business associates: We may allow access to those who provide services to us and assure us they will protect the information. For example, third parties who perform billing or consulting services. They are required by law and their agreements with us to protect your PHI in the same way we do.

People involved in your care or for payment of it: We may share your PHI with certain people who are involved in your care or the payment of it. This may include a friend, personal representative, family member or any other person you identify as a caregiver. For example, we may provide prescriptions and related information to your caregiver on your behalf. We may also make these disclosures after your death unless you’ve expressly told us not to do so. Upon your death, we may disclose your PHI to a person allowed by law to act for your estate. If you are a minor, we may release your PHI to your parents or legal guardians when permitted or required by law

Workers' compensation: We may share your PHI to comply with workers’ compensation laws or similar programs.

Law enforcement: We may share your PHI with law enforcement officials as permitted or required by law. For example, we may share your PHI to report certain injuries or to report criminal conduct that happens on our premises. Also, we may share it in response to a court order, subpoena, warrant or similar written request from law enforcement.

Required by law: We will share your PHI to comply with federal, state or local law.

Judicial and administrative proceedings: We may share your PHI in response to a court or administrative order, subpoena, discovery request or other lawful process.

Public health and safety purposes: We may share your PHI in certain situations to help with public health and safety issues. For example, to:

  • Prevent disease
  • Report adverse reactions to medicine
  • Report suspected abuse, neglect or domestic violence
  • Prevent or reduce a threat to a person’s health or safety

Health oversight activities: We may share your PHI to an oversight agency for certain activities, including:

  • Audits, investigations, inspections, licensure or disciplinary actions
  • Civil, administrative and criminal proceedings
  • As necessary for oversight of the health care system, government programs or compliance with civil rights laws

Research: Under certain circumstances, we may use or disclose your PHI for research purposes. For example, we may use or disclose your PHI as part of a research study when the research has been approved by an institutional review board and there is an established protocol to ensure the privacy of your information.

Coroners, medical examiners and funeral directors: We may share your PHI to these entities so they may carry out their duties.

Organ or tissue donation: We may share your PHI to organ procurement organizations.

Notification: We may use or share your PHI to notify or to help to notify a family member or any other person responsible for your care about your location, general condition or death. We may also disclose your PHI to disaster relief groups so that your family or others responsible for your care can learn of your location, general condition or death.

Correctional institution: We may share your PHI to a correctional institution or its agents if you are or become an inmate. This is to help them provide your health care, and protect your health and safety, and that of others.

Specialized government functions and Military: We may share your PHI to authorized federal officials for the conduct of military, national security activities, and other specialized government functions. If you are a member of the U.S. armed forces or the foreign military, we may disclose your PHI for activities deemed necessary by appropriate command authorities or under the law.

Uses or disclosures that require your approval

In some situations, we may only use and share your PHI when you say it’s okay in writing to use or disclose your PHI. For example, without it, we won't:

  • Use or disclose your PHI for marketing purposes.
  • Sell your PHI to third parties. (But we may do so without your permission if we transfer a business to another health care provider that must comply with HIPAA.)
  • Share psychotherapy notes (if we have any).

We will need your written approval before using or disclosing your PHI for purposes other than those described in this Notice or permitted by law. You may revoke your approval anytime. Just send a written notice to the CVS Privacy Office. Your revocation will be effective upon receipt. But it will not undo any use or sharing of your PHI that has already happened based on your permission.

Your health information rights

Written requests and other information: You may ask for more information about our privacy practices, or obtain forms for submitting written requests. Just contact the CVS Privacy Officer

  • By writing: CVS Privacy Office, One CVS Dr., Woonsocket RI 02895
  • By phone: Toll-free at 1-866-443-0933

Obtain a copy of the Notice: You have the right to a paper copy of our current Notice anytime. You may do so by going to the site where you obtain health care services from us. You can also contact the CVS Privacy Office.

Inspect and obtain a copy of your PHI: With a few exceptions, you have the right to see and get a copy of the PHI we have about you.

To inspect or get a copy of your PHI, send a written request to the CVS Privacy Office. You may also ask us to provide a copy of your PHI to someone else. We may charge a reasonable fee for this. HIPAA and/or state law allows this fee.

We may deny your request to inspect and copy your record in certain cases. If we do, we will notify you in writing. We will let you know if you may request a review of the denial.

Request a change: If you feel the PHI we have about you is wrong or incomplete, you may ask us to fix it. For example, if your date of birth is incorrect, you may ask us to correct it.

Send a written request to the CVS Privacy Office. You must include a reason for your request. If we deny your request, we will explain in writing why we did so.

Receive a report of disclosures: You have the right to ask for a list of certain disclosures we make of your PHI for purposes other than treatment, payment or health care operations. This is called an "accounting." (Note certain other disclosures are not required in the report we give to you.)

To get a list of the disclosures, send a written request to the CVS Privacy Office. We will provide one report every 12 months free of charge. But we may charge you for the cost of any other reports. We will notify you in advance of the cost. You may withdraw or modify your request at that time.

Request a restriction on certain uses and disclosures: You have the right to ask for limits on the way we use or share your PHI. Just send a written request to the CVS Privacy Office.

We aren’t required to agree to your request except where the disclosure:

  • Is to a health plan or insurer for purposes of carrying out payment or health care operations
  • Is not otherwise required by law
  • Is PHI related to a health care item or service for which you, or a person on your behalf, has paid in full out of pocket

If you don’t want a claim sent to your health plan, talk to your pharmacist or health care provider when you check in for care or before your prescription is sent to the pharmacy.

Request confidential communications: You have the right to request that we communicate with you in a certain way or at a certain location. For example, you may ask that we contact you only in writing at a specific address.

To request confidential communication of your PHI, send a written request to the CVS Privacy Office. Your request must state how, where or when you would like us to contact you. We will accommodate all reasonable requests.

Notification of breach: You have a right to know if there is a breach of your unsecured PHI, as defined by HIPAA.

To report a problem

Complaints: If you believe your privacy rights were violated, you can file a complaint with the:

  • CVS Privacy Officer
  • Secretary of the U.S. Department of Health and Human Services

Submit all complaints in writing. We won’t penalize you or retaliate against you in any way if you file a complaint.

Changes to this Notice

We may change the terms of this Notice and our privacy policies anytime. If we do, the new terms and policies will be effective for all the information we now have about you. And they’ll apply to any information that we may get or hold in the future.

If we make material or important changes to our privacy practices, we will promptly revise our Notice.

You can ask for a copy of the revised Notice, just ask the CVS Privacy Office.

We will also post the revised Notice in our retail stores and on our website. Go to There will also be copies at our sites and locations where you receive health care products and services from us.

Effective Date. This Notice is effective as of 07/16/2017. It was updated on 02/22/2022