Since February, CVS Caremark has been pushing its pharmacists to enroll customers in a prescription-drug rewards program. It gives customers the opportunity to earn up to $50 a year in store credits.
The benefit to CVS is persuading pharmacy customers to give up federal privacy safeguards for their medical information and permitting the company to share people's drug purchases with others.
"It's very troubling," said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse. "Pharmaceutical companies obviously would want to know what you're taking and get you to buy more expensive medicines."
Walgreens and Rite-Aid have their own rewards programs, but officials at each company said they don't require customers to relinquish federal privacy protections.
CVS announced Feb. 4 that it was expanding its ExtraCare rewards program to include prescription drug purchases. The new program, ExtraCare Pharmacy & Health Rewards, allows customers to earn $5 worth of store credits for every 10 prescriptions filled, up to $50 a year.
The fine print on CVS' website says that "each person must sign a HIPAA Authorization to join" and that "you must re-sign the HIPAA Authorization once per year to retain active enrollment."
The Health Insurance Portability and Accountability Act is a federal law that requires insurers, hospitals, doctors and pharmacies to keep your medical information under wraps. Breaking the law can result in civil and criminal penalties.
What CVS calls a "HIPAA Authorization" is not simply a matter of allowing the company "to record the prescription earnings" of ExtraCare members, as CVS indicates during the enrollment process.
That last step is where you encounter a screen saying you acknowledge that "my health information may potentially be re-disclosed and thus is no longer protected by the federal Privacy Rule."
The company assumes you are aware of what it means to no longer be protected by HIPAA. Nor has CVS disclosed with whom your previously confidential medical information may be shared and for what purposes.
"Without HIPAA, they could be shipping data to who knows where," said Andrew Hicks at Coalfire Systems, a consulting firm that helps clients comply with HIPAA regulations.
Mike DeAngelis, a CVS spokesman, declined to answer when asked whether CVS believes it is adequately disclosing what HIPAA is or what the potential ramifications could be for those who forgo their privacy rights.