Listen
6 min
Share
Comment
Save
The nation’s largest pharmacy chains have handed over Americans’ prescription records to police and government investigators without a warrant, a congressional investigation found, raising concerns about threats to medical privacy.
Though some of the chains require their lawyers to review law enforcement requests, three of the largest — CVS Health, Kroger and Rite Aid, with a combined 60,000 locations nationwide — said they allow pharmacy staff members to hand over customers’ medical records in the store.
The policy was revealed in a letter sent late Monday to Xavier Becerra, the secretary of the Department of Health and Human Services, by Sen. Ron Wyden (D-Ore.) and Reps. Pramila Jayapal (D-Wash.) and Sara Jacobs (D-Calif.).
The members began investigating the practice after the Supreme Court’s decision last year in Dobbs v. Jackson Women’s Health Organization ended the constitutional right to abortion.
Advertisem*nt
The revelation could shape the debate over Americans’ expectations of privacy as Texas and other states move to criminalize abortion and drugs related to reproductive health.
Pharmacies’ records hold some of the most intimate details of their customers’ personal lives, including years-old medical conditions and the prescriptions they take for mental health and birth control.
Because the chains often share records across all locations, a pharmacy in one state can access a person’s medical history from states with more-restrictive laws. Carly Zubrzycki, an associate professor at the University of Connecticut law school, wrote last year that this could link a person’s out-of-state medical care via a “digital trail” back to their home state.
Now for sale: Data on your mental health
The Health Insurance Portability and Accountability Act, or HIPAA, regulates how health information is used and exchanged among “covered entities” such as hospitals and doctor’s offices. But the law gives pharmacies leeway as to what legal standard they require before disclosing medical records to law enforcement.
Advertisem*nt
In briefings, officials with eight American pharmacy giants — Walgreens Boots Alliance, CVS, Walmart, Rite Aid, Kroger, Cigna, Optum Rx and Amazon Pharmacy — told congressional investigators that they required only a subpoena, not a warrant, to share the records.
A subpoena can be issued by a government agency and, unlike a court order or warrant, does not require a judge’s approval. To obtain a warrant, law enforcement must convince a judge that the information is vital to investigate a crime.
Officials with CVS, Kroger and Rite Aid said they instruct their pharmacy staff members to process law enforcement requests on the spot, saying the staff members face “extreme pressure to immediately respond,” the lawmakers’ letter said.
The eight pharmacy giants told congressional investigators that they collectively received tens of thousands of legal demands every year, and that most were in connection with civil lawsuits. It’s unclear how many were related to law enforcement demands, or how many requests were fulfilled.
Advertisem*nt
Only one of the companies, Amazon, said it notified customers when law enforcement demanded its pharmacy records unless there was a legal prohibition, such as a “gag order,” preventing it from doing so, the lawmakers said.
Americans can request the companies tell them if they’ve ever disclosed their data under a HIPAA “accounting of disclosure” rule, but very few people do. CVS, which has more than 40,000 pharmacists and 10,000 stores in the United States, said it received a “single-digit number” of such consumer requests last year, the letter states.
CVS, the country’s largest pharmacy by prescription revenue, said in a statement that it is compliant with HIPAA and that its pharmacy teams are “trained on how to appropriately respond to lawful requests from regulatory agencies and law enforcement.”
Advertisem*nt
“We have suggested a warrant or judge-issued subpoena requirement be considered and we look forward to working cooperatively with Congress to strengthen patient privacy protections,” company spokeswoman Amy Thibault said.
Most investigative requests come with a directive requiring the company to keep them confidential, she said; for those that don’t, the company considers “on a case-by-case basis whether it’s appropriate to notify the individual.” The company intends to begin publishing a transparency report that will include information on third-party record requests starting in the first quarter of next year, she said.
HHS did not immediately respond to requests for comment.
A Walgreens spokesman said the company’s law enforcement process follows HIPAA and other applicable laws. A Walmart spokeswoman said the company takes its “customers’ privacy seriously as well as our obligation to law enforcement.”
Advertisem*nt
An Amazon spokeswoman said that the company cooperates with law enforcement requests as required and that such requests “represent a very small percentage of the prescriptions we fill for customers.” (Amazon founder Jeff Bezos owns The Washington Post, and interim Post CEO Patty Stonesifer is a member of Amazon’s board.)
Rite Aid declined to comment. The other companies did not respond to requests for comment.
Carmel Shachar, an assistant clinical professor at Harvard Law School who researches health law and policy, said that pharmacies hold a “ton of sensitive data” and that pharmacists are probably not trained to evaluate the merits or validity of a police request — or to turn an officer down.
“These need to go to someone who understands privacy law for review,” she said. “It probably feels very nerve-racking to get a subpoena and tell the person who gave it to you, ‘Oh, you’ll have to wait.’”
States where abortion is legal, banned or under threat
The pharmacy data could be especially concerning for the nearly 1 in 3 women ages 15 to 44 who a Post analysis found live in states where abortion is fully or mostly banned.
Advertisem*nt
In Texas, Attorney General Ken Paxton (R) has warned pharmacies they could face criminal charges for providing women with “abortion-inducing drugs.” Kate Cox, a Dallas-area mother of two who sought an abortion after learning her fetus had a fatal genetic condition, left the state on Monday after the Texas Supreme Court blocked a lower-court ruling that would have allowed her to get the procedure.
Some states, such as Louisiana, Montana and Pennsylvania, offer additional protections for medical data disclosure, though federal law enforcement is not subject to their laws.
In their letter, the lawmakers called on HHS to strengthen HIPAA’s rules and ensure pharmacies insist on a warrant, which would require law enforcement go to court to enforce such requests.
The lawmakers noted that the tech industry had adopted a similar change in the early 2010s, when Google, Microsoft and Yahoo began demanding to see warrants before providing data on customers’ emails.
They also urged the companies to proactively notify customers and to publish regular transparency reports highlighting the volume of law enforcement requests.
“Americans deserve to have their private medical information protected at the pharmacy counter,” they wrote.
As a privacy and healthcare data expert with a deep understanding of the complexities surrounding the intersection of technology, law, and medical privacy, I can shed light on the various concepts touched upon in the provided article. My expertise stems from extensive research and practical knowledge in the fields of health information privacy, data protection laws, and the evolving landscape of digital health.
The central theme of the article revolves around the revelation that major pharmacy chains, including CVS Health, Kroger, and Rite Aid, have been providing Americans' prescription records to law enforcement and government investigators without the necessity of a warrant. This practice has raised significant concerns about the potential threats to medical privacy, especially in the context of evolving legal landscapes such as Texas's move to criminalize abortion and drugs related to reproductive health.
-
Medical Privacy and HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) is a key regulatory framework that governs the use and exchange of health information among covered entities, such as hospitals and doctor's offices. However, pharmacies have a certain degree of leeway under HIPAA regarding the legal standards required before disclosing medical records to law enforcement.
-
Legal Standards for Disclosure: The article highlights that, according to briefings from eight major pharmacy chains, including Walgreens Boots Alliance, CVS, Walmart, Rite Aid, Kroger, Cigna, Optum Rx, and Amazon Pharmacy, these entities typically require only a subpoena, not a warrant, to share medical records. A subpoena, unlike a warrant, does not necessitate judicial approval.
-
Pharmacy Practices: CVS, Kroger, and Rite Aid are singled out in the article for allowing pharmacy staff members to process law enforcement requests on the spot, emphasizing the "extreme pressure to immediately respond." The sheer volume of legal demands faced by these pharmacy giants, often in connection with civil lawsuits, is mentioned, though the exact number related to law enforcement demands is unclear.
-
Customer Notification and Transparency: The article notes that only Amazon among the mentioned companies notifies customers when law enforcement demands pharmacy records unless legally prohibited by a "gag order." The lawmakers recommend that companies proactively notify customers and publish regular transparency reports to highlight the volume of law enforcement requests, akin to practices adopted by the tech industry in the early 2010s.
-
Legal and Ethical Implications: Legal experts, including lawmakers and a professor from Harvard Law School, express concerns about the sensitivity of pharmacy data, the lack of training for pharmacists in evaluating the merits of law enforcement requests, and the need for a stronger legal framework to protect patient privacy.
In conclusion, the article brings to light the intricate balance between law enforcement needs, individual privacy rights, and the responsibilities of healthcare providers in safeguarding sensitive medical information. It underscores the need for potential legal reforms, increased transparency, and a heightened focus on protecting Americans' private medical information at the pharmacy counter.
