Protecting Our Customers

At CVS Caremark, we believe our customer relationships are built on superior service and deep trust. We understand the responsibility our customers place with us regarding their health, thus we are committed to securely maintaining the privacy of our customers’ personal and health information. We have extensive procedures, stringent policies and state-of-the-art technology in place company-wide to safeguard protected personal and health information, and we comply with HIPAA privacy requirements and other applicable state and federal laws.

We also adhere to industry standards and utilize a number of procedures to ensure the security of credit card information, guard against identity theft and prevent fraud. Our Information Security Office defines and implements enterprise-wide policies and has developed a security framework, which controls user authentication and authorization and includes intrusion-detection software and firewalls at all entry points to the network. All company laptop computers include encryption software.

Depending on the roles and responsibilities of employees across the organization, privacy (specifically HIPAA) and security training for employees covers policies and procedures, disclosure violations and physical and technical standards, as well as employee responsibilities and sanctions.

Development of the Common Security Framework

In 2008, as a founding participant and Executive Council member of the Health Information Trust Alliance (HITRUST), we took a leadership role in the development of the Common Security Framework for the protection of health information. Released in early 2009, the new Framework represents an 18-month effort led by an integrated team of professionals from health care, professional services and information technology organizations. It is the first IT security control Framework developed explicitly for health care information.

In 2009, we will work with HITRUST to develop a set of tools and services aimed at protecting sensitive health information and reducing the risk of security and privacy breaches.

Protecting Patient Privacy

In our retail operations, we protect patient privacy by maintaining consistent workflow safeguards and by effectively managing:

• Pharmacy and patient interactions—We use soft voices for conversations between pharmacy staff and patients; ask customers to provide their address so we can verify their identity; and train our staff on our policies and procedures for protecting patient privacy.
• Pharmacy layout and design—We set aside a specially designated area for patient and pharmacist consultations; install privacy shields on computer displays; and provide a physically secure pharmacy entrance for authorized personnel.
• Secure disposal of confidential waste—We are committed to being an industry leader in privacy matters and place a high priority on protecting our customers’ private information. We have comprehensive policies and procedures in place to effectively manage the proper disposal of confidential waste and have instituted a chain-wide shredding program for confidential waste.
• Privacy notification—We provide our privacy notices and policies on our Web sites and print our privacy policy in prescription monographs for first-time customers.
• Privacy complaints—We maintain a privacy office that responds to every privacy complaint with a set protocol that involves: processing, tracking, reviewing, making improvements and when appropriate, retraining or developing a corrective plan.
• ExtraCare cardholder privacy—We do not give or sell cardholder information to manufacturers or direct marketers. Cardholders are required to acknowledge our privacy statement and option to receive special offers.

Similar policies and procedures are in place to protect patient privacy at CVS Caremark’s mail order and specialty pharmacies and in our MinuteClinic operations, although they have been adapted to meet the unique workflows of these operations.