By David Lazarus
Los Angeles Times
CVS Caremark has been pushing its pharmacists to enroll customers in a prescription-drug rewards program. The benefit to customers is the opportunity to earn up to $50 a year in store credits that can be used to buy shampoo, toothpaste or other products.
The benefit to CVS is persuading pharmacy customers, through questionable means, to give up federal privacy safeguards for their medical information and permitting the company to share people’s drug purchases with others.
“It’s very troubling,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse in San Diego.
“Your medical information is very sensitive,” he said. “Pharmaceutical companies obviously would want to know what you’re taking and get you to buy more expensive medicines.”
Walgreens and Rite Aid have their own rewards programs for prescription drugs. But officials at each company said they don’t require customers to relinquish federal privacy protections.
CVS announced last Feb. 4 that it was expanding its ExtraCare rewards program to include prescription drug purchases. The new program, ExtraCare Pharmacy & Health Rewards, allows customers to earn $5 worth of store credits for every 10 prescriptions filled, up to $50 a year.
“Pharmacy is the heart of our business, and we know how important it is to help our customers manage multiple prescriptions and adhere to their medication therapy,” said Rob Price, senior vice president and chief marketing officer for CVS’ drugstore operations.
“This new program expands the ExtraCare rewards customers love, encouraging our customers to more proactively manage their overall health.”
However, there’s more to the program than that.
The fine print on CVS’ website says that “each person must sign a HIPAA Authorization to join” and that “you must re-sign the HIPAA Authorization once per year to retain active enrollment.”
Among the site’s frequently asked questions for the program is, “Why do I need to sign a HIPAA Authorization?”
The answer: “The HIPAA Authorization allows CVS/pharmacy to record the prescription earnings of each person who joins the ExtraCare Pharmacy & Health Rewards program.”
Nowhere does CVS clarify what HIPAA is. It’s a serious omission.
HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. It’s a privacy law that, according to the U.S. Department of Health & Human Services, “gives you rights over your health information and sets rules and limits on who can look at and receive your health information.”
Basically, HIPAA requires insurers, hospitals, doctors, dentists and pharmacies to keep your medical information under wraps. Breaking the law can result in civil and criminal penalties, including prison terms and fines of up to $1.5 million for each violation.
What CVS calls a “HIPAA Authorization,” therefore, is not to be taken lightly. Nor is it simply a matter of allowing the company “to record the prescription earnings” of ExtraCare members, as CVS indicates during the final stage of the enrollment process.
That last step is where you encounter a screen saying you acknowledge that “my health information may potentially be re-disclosed and thus is no longer protected by the federal Privacy Rule.” CVS takes the liberty of assuming you know that HIPAA and the “federal Privacy Rule” are one and the same, although it has nowhere made the connection clear.
The company also assumes you are aware of what it means to no longer be protected by HIPAA, although it hasn’t spelled out the implications of giving up your HIPAA rights.
Nor has CVS disclosed with whom your previously confidential medical information may be shared and for what purposes.
HIPAA prevents drugstores from sharing customers’ confidential medical information with insurers, pharmaceutical companies, marketers and anyone else with an interest in what medicines people are taking, said Andrew Hicks at Coalfire Systems, a consulting firm that helps clients comply with HIPAA regulations.