US Pharmacies Share Medical Data with Police Without a Warrant, Inquiry Finds

The Washington Post reports that America's largest pharmacy chains have "handed over Americans' prescription records to police and government investigators without a warrant, a congressional investigation found, raising concerns about threats to medical privacy." Though some of the chains require their lawyers to review law enforcement requests, three of the largest — CVS Health, Kroger and Rite Aid, with a combined 60,000 locations nationwide — said they allow pharmacy staff members to hand over customers' medical records in the store... Pharmacies' records hold some of the most intimate details of their customers' personal lives, including years-old medical conditions and the prescriptions they take for mental health and birth control. Because the chains often share records across all locations, a pharmacy in one state can access a person's medical history from states with more-restrictive laws. Carly Zubrzycki, an associate professor at the University of Connecticut law school, wrote last year that this could link a person's out-of-state medical care via a "digital trail" back to their home state...

In briefings, officials with eight American pharmacy giants — Walgreens Boots Alliance, CVS, Walmart, Rite Aid, Kroger, Cigna, Optum Rx and Amazon Pharmacy — told congressional investigators that they required only a subpoena, not a warrant, to share the records.

A subpoena can be issued by a government agency and, unlike a court order or warrant, does not require a judge's approval. To obtain a warrant, law enforcement must convince a judge that the information is vital to investigate a crime. Officials with CVS, Kroger and Rite Aid said they instruct their pharmacy staff members to process law enforcement requests on the spot, saying the staff members face "extreme pressure to immediately respond," the lawmakers' letter said. The eight pharmacy giants told congressional investigators that they collectively received tens of thousands of legal demands every year, and that most were in connection with civil lawsuits. It's unclear how many were related to law enforcement demands, or how many requests were fulfilled.

Only one of the companies, Amazon, said it notified customers when law enforcement demanded its pharmacy records unless there was a legal prohibition, such as a "gag order," preventing it from doing so, the lawmakers said...

Most investigative requests come with a directive requiring the company to keep them confidential, a CVS spokeswoman said; for those that don't, the company considers "on a case-by-case basis whether it's appropriate to notify the individual."
The article points out that Americans "can request the companies tell them if they've ever disclosed their data...but very few people do.

"CVS, which has more than 40,000 pharmacists and 10,000 stores in the United States, said it received a 'single-digit number' of such consumer requests last year, the letter states."

Sorta like Gilead

[Kernel Kurtz]

Gotta keep women in their place.

Re:Sorta like Gilead

[AlanObject]

I can guarantee you that Republican-minded DAs like that goat turd Ken Paxton will gleefully use the subpoena power to prosecute women who access abortion medications. Anything else is a sucker bet.

Re:Sorta like Gilead

[Kernel Kurtz]

As a non-American it blows me away that such profoundly evil people as Paxton are popular there. It says nothing good about that society.

And I wish him and his family many miscarriages. Few will ever be more deserving.

Uh...

[msauve]

Isn't that a HIPAA violation? In general, that doesn't seem to be covered by the exceptions for law enforcement purposes in 45 C.F.R. Â 164.512(f). Penalties can go into the 10's of thousands of dollars, and even into criminal penalties including imprisonment.

Re:Uh...

[Tony Isaac]

HIPAA does allow PHI to be disclosed in response to a subpoena. https://www.hhhealthlawblog.co... [hhhealthlawblog.com].

Re:Uh...

[ArmoredDragon]

Technically an investigative demand isn't a subpoena.

Re:

[Tony Isaac]

The article, and even the summary, both specifically state that these pharmacies are supplying data in response to...subpoenas.

Re:Uh...

[misnohmer]

From the link you quoted:

If the subpoena or other lawful process is signed by a person other than a judge, magistrate, or administrative tribunal (e.g., it is signed by a lawyer, prosecutor, court clerk, etc.), HIPAA wants to make sure the patient has been given notice of the subpoena, has had the chance to object, and/or that an appropriate protective order is in place.

Re:Uh...

[CoolDiscoRex]

Isn't that a HIPAA violation?

Sure, but it doesn't matter. Constitutional Rights, and other laws designed to protect citizens were getting in the way of the government asserting its authority over the people, so the Supreme Court, always conflicted with it's dependence on the government, completely invented the "compelling government interest" standard. This standard states that any rights granted to the people may be violated when there is a "compelling government interest" to violate them.

The Supreme Court, tasked solely with interpreting the constitutionality of law, never had the authority to grant such a thing. But who is there to enforce the Supreme Court's violation of the constitution? Especially when both parties benefit from said violations?

Even if it was a violation of HIPAA, remember when the government handed out retroactive immunity to phone companies for turning over customer info to the government.

Long story short, corporations are not ever penalized for handing over information to the government, nor will they ever be.

It doesn't matter what the law officially says. The government will not allow them to be punished, lest future corporations hesitate to hand over information when demanded.

Re:

[bill_mcgonigle]

> But who is there to enforce the Supreme Court's violation of the constitution?

In historical terms this is resolved with extrajudicial justice or, failing that, revolution.

But the barrier for both tends to be high so more often the society descends into tyranntly and mass democide.

A loophole that needs closing

[AlanObject]

I don't get why clinics, hospitals, and doctors offices are prohibited by law in almost every jurisdiction from disclosing your medical information without a warrant but pharmacies get a pass on this.

This is why the USA needs ...

[Alain Williams]

a good data protection law. Something like the EU's GDPR [wikipedia.org].

Go Amazon!

[misnohmer]

At least one company followed the HIPPA rules, and even a little beyond, as they are only required to notify customer if the subpoena is NOT signed by a person other than a judge, magistrate, or administrative tribunal (but are required if signed by a lawyer or court clerk, etc.).

Not A HIPPA violation.

[spaceman375]

This is a loophole that most people don't understand. HIPPA only applies to any person or organization that provides medical services. MEDICAL services. So the companies that provide a "Patient Portal" that is free to patients and cheap for doctors aren't covered by HIPPA; they don't employ doctors and don't provide medical services, only administrative services. They get their money by selling all the data that unknowing patients happily fill out in great detail. I've dropped a doctor after he refused to believe me - this really is their business model. I've asked, and the staff at doctor's offices don't even know how to delete or remove the data after you've entered it.

Re: Not A HIPPA violation.

[mmdurrant]

Wrong. HIPAA covers any person with access to PHI that could potentially disclose that info. It requires keeping track of who had access to systems and when. The whole purpose of HIPAA was ensuring medical info could be exchanged for the benefit of patients (portability - the P in HIPAA) while ensuring there were processes for protecting that data from disclosure and more importantly, clearly established accountability (one of the As in HIPAA).

Tldr if you have access to private health info you could poten

Re:

[groobly]

That's not entirely correct either. Once you provide HIPAA-protected information to an entity that is not covered under HIPAA, they can do anything they want with it. For example, if you authorize disclosure to your cousin, she can tell anyone she likes, as long as she is not acting as a doctor, hospital, etc. HIPAA privacy policies in my experience mention that.

This is why settlements shouldn't be allowed in

[PJ6]

any cases where the public interest is involved.

Nobody is going to obey the rules if we keep failing to demand real accountability.

They let everyone steal

[ruddk]

Everyone steals from stores these days.

Also lets police, etc. track patient's movements

[Ungrounded Lightning]

National drug store chains turning over patent records to the cops etc. without a warrant also lets them track their movements arounjd the country.

Not as find-grained, but much quicker than trying to mine license plate reader and surveilance camera imagery from around the continent. "Where's Wally Suspect?" "He was at this Walgreens in Tacoma on June 7 but that Kroger in Phoenix yesterday."

If you're against the surveillance state over cameras, library checkouts, browser histories, or TV show selection, you certainly should be against this data leak.

"But I don't have anything to hide so I don't care." doesn't cut it when, say, some piece of a cancel culture gets control of the machinery of government (or just some piece of law enforcement) and uses it against anyone not perfectly aligned with their particular ideology.

what is protected

[groobly]

Pharmacies are engaged on commerce, not doctoring. They are only providing information about commerce, just as a grocery store might reveal that you bought non-fat milk.

Or at least that is the basis for their loophole.

What your insurance paid for isn't entirely secure either, based on the same premise.