Concerns Raised about Medical Privacy
The nation’s largest pharmacy chains, including CVS Health, Kroger, and Rite Aid, have been found to voluntarily provide Americans’ prescription records to law enforcement and government investigators without a warrant, according to a congressional investigation. This revelation has raised significant concerns about the protection of medical privacy.
Although some pharmacy chains require their lawyers to review law enforcement requests, CVS Health, Kroger, and Rite Aid, which together operate 60,000 locations across the country, allow pharmacy staff members to hand over customers’ medical records directly in-store. This policy was uncovered through a letter sent by Senator Ron Wyden, Representative Pramila Jayapal, and Representative Sara Jacobs to Xavier Becerra, the secretary of the Department of Health and Human Services.
Pharmacies Hold Intimate Personal Information
Pharmacies hold a wealth of personal information about their customers, including sensitive details such as years-old medical conditions and prescriptions for mental health and birth control. Since pharmacy chains often share records across locations, a pharmacy in one state can access an individual’s complete medical history, even if they reside in states with stricter privacy laws. This creates a potential “digital trail” linking a person’s out-of-state medical care back to their home state.
The Health Insurance Portability and Accountability Act (HIPAA), which regulates the use and exchange of health information, applies to “covered entities” such as hospitals and doctor’s offices. However, its application to pharmacy chains and their sharing of records without warrants is not clear.
Policies of the Largest Pharmacy Giants
In briefings with congressional investigators, officials representing Walgreens Boots Alliance, CVS, Walmart, Rite Aid, Kroger, Cigna, Optum Rx, and Amazon Pharmacy stated that they only required a subpoena, not a warrant, to share prescription records. Unlike a court order or warrant, a subpoena does not require a judge’s approval and can be issued by a government agency.
CVS, Kroger, and Rite Aid revealed that their pharmacy staff members were instructed to process law enforcement requests immediately due to “extreme pressure to respond.” However, the lawmakers’ letter did not specify the number of requests fulfilled or the proportion of law enforcement demands. Only Amazon stated that it would notify customers when law enforcement demanded their pharmacy records, unless prevented by a legal prohibition such as a “gag order.” Other companies, including Amazon, did not comment on the matter.
Efforts to Strengthen Patient Privacy Protections
The lawmakers urged the Department of Health and Human Services (HHS) to enhance HIPAA’s rules and ensure that pharmacies require a warrant from law enforcement. This would obligate officials to seek court approval to enforce such requests.
CVS expressed its support for the consideration of a warrant or judge-issued subpoena requirement and its willingness to collaborate with Congress in strengthening patient privacy protections. The company received a limited number of consumer requests under HIPAA’s “Accounting of Disclosure” rule, but the exact number remains undisclosed.
To improve transparency, CVS plans to publish a report in the first quarter of next year that includes information about third-party record requests.
Carmel Shachar, an assistant clinical professor at Harvard Law School, emphasized the significance of pharmacies’ handling of sensitive data. She noted that pharmacists may not possess the expertise to evaluate the merits or validity of a police request or to reject an officer’s demand. Shachar emphasized the need for privacy law experts to review such requests.
Some states, such as Louisiana, Montana, and Pennsylvania, offer additional protections for medical data disclosure. However, federal law enforcement agencies are not bound by these state laws.
The lawmakers’ call for stronger HIPAA rules resembling the tech industry’s adoption of warrant requirements for customer email data access by companies like Google, Microsoft, and Yahoo during the early 2010s serve as an example for potential improvements.