Connect with us

Hi, what are you looking for?

Editor's Pick

Pharmacies share medical data with police without a warrant, inquiry finds

The nation’s largest pharmacy chains have handed over Americans’ prescription records to police and government investigators without a warrant, a congressional investigation found, raising concerns about threats to medical privacy.

Though some of the chains require their lawyers to review law enforcement requests, three of the largest — CVS Health, Kroger and Rite Aid, with a combined 60,000 locations nationwide — said they allow pharmacy staff members to hand over customers’ medical records in the store.

The policy was revealed in a letter sent late Monday to Xavier Becerra, the secretary of the Department of Health and Human Services, by Sen. Ron Wyden (D-Ore.) and Reps. Pramila Jayapal (D-Wash.) and Sara Jacobs (D-Calif.).

The members began investigating the practice after the Supreme Court’s decision last year in Dobbs v. Jackson Women’s Health Organization ended the constitutional right to abortion.

The revelation could shape the debate over Americans’ expectations of privacy as Texas and other states move to criminalize abortion and drugs related to reproductive health.

Pharmacies’ records hold some of the most intimate details of their customers’ personal lives, including years-old medical conditions and the prescriptions they take for mental health and birth control.

Because the chains often share records across all locations, a pharmacy in one state can access a person’s medical history from states with more-restrictive laws. Carly Zubrzycki, an associate professor at the University of Connecticut law school, wrote last year that this could link a person’s out-of-state medical care via a “digital trail” back to their home state.

The Health Insurance Portability and Accountability Act, or HIPAA, regulates how health information is used and exchanged among “covered entities” such as hospitals and doctor’s offices. But the law gives pharmacies leeway as to what legal standard they require before disclosing medical records to law enforcement.

In briefings, officials with America’s eight biggest pharmacy giants — Walgreens Boots Alliance, CVS, Walmart, Rite Aid, Kroger, Cigna, Optum Rx and Amazon Pharmacy — told congressional investigators that they required only a subpoena, not a warrant, to share the records.

A subpoena can be issued by a government agency and, unlike a court order or warrant, does not require a judge’s approval. To obtain a warrant, law enforcement must persuade a judge that the information is vital to investigate a crime.

Officials with CVS, Kroger and Rite Aid said they instruct their pharmacy staff members to process law enforcement requests on the spot, saying the staff members face “extreme pressure to immediately respond,” the lawmakers’ letter said.

The eight pharmacy giants told congressional investigators that they collectively received tens of thousands of legal demands every year, and that most were in connection with civil lawsuits. It’s unclear how many were related to law enforcement demands, or how many requests were fulfilled.

Only one of the companies, Amazon, said it notified customers when law enforcement demanded its pharmacy records unless there was a legal prohibition, such as a “gag order,” preventing it from doing so, the lawmakers said.

Americans can request the companies tell them if they’ve ever disclosed their data under a HIPAA “Accounting of Disclosure” rule, but very few people do. CVS, which has more than 40,000 pharmacists and 10,000 stores in the United States, said it received a “single-digit number” of such consumer requests last year, the letter states.

CVS, the country’s largest pharmacy by prescription revenue, said in a statement that it is compliant with HIPAA and that its pharmacy teams are “trained on how to appropriately respond to lawful requests from regulatory agencies and law enforcement.”

“We have suggested a warrant or judge-issued subpoena requirement be considered and we look forward to working cooperatively with Congress to strengthen patient privacy protections,” company spokeswoman Amy Thibault said.

Most investigative requests come with a directive requiring the company to keep them confidential, she said; for those that don’t, the company considers “on a case-by-case basis whether it’s appropriate to notify the individual.” The company intends to begin publishing a transparency report that will include information on third-party record requests starting in the first quarter of next year, she said.

HHS did not immediately respond to requests for comment.

A Walgreens spokesman said the company’s law enforcement process follows HIPAA and other applicable laws. A Walmart spokeswoman said the company takes its “customers’ privacy seriously as well as our obligation to law enforcement.” Rite Aid declined to comment.

The other companies, including Amazon, did not respond to requests for comment. Amazon founder Jeff Bezos owns The Washington Post, and interim Post CEO Patty Stonesifer is a member of Amazon’s board.

Carmel Shachar, an assistant clinical professor at Harvard Law School who researches health law and policy, said that pharmacies hold a “ton of sensitive data” and that pharmacists are probably not trained to evaluate the merits or validity of a police request — or to turn an officer down.

“These need to go to someone who understands privacy law for review,” she said. “It probably feels very nerve-racking to get a subpoena and tell the person who gave it to you, ‘Oh, you’ll have to wait.’”

The pharmacy data could be especially concerning for the nearly 1 in 3 women ages 15 to 44 who a Post analysis found live in states where abortion is fully or mostly banned.

In Texas, Attorney General Ken Paxton (R) has warned pharmacies they could face criminal charges for providing women with “abortion-inducing drugs.” Kate Cox, a Dallas-area mother of two who sought an abortion after learning her fetus had a fatal genetic condition, left the state on Monday after the Texas Supreme Court blocked a lower-court ruling that would have allowed her to get the procedure.

Some states, such as Louisiana, Montana and Pennsylvania, offer additional protections for medical data disclosure, though federal law enforcement is not subject to their laws.

In their letter, the lawmakers called on HHS to strengthen HIPAA’s rules and ensure pharmacies insist on a warrant, which would require law enforcement go to court to enforce such requests.

The lawmakers noted that the tech industry had adopted a similar change in the early 2010s, when Google, Microsoft and Yahoo began demanding to see warrants before providing data on customers’ emails.

They also urged the companies to proactively notify customers and to publish regular transparency reports highlighting the volume of law enforcement requests.

“Americans deserve to have their private medical information protected at the pharmacy counter,” they wrote.

This post appeared first on The Washington Post

Enter Your Information Below To Receive Free Trading Ideas, Latest News And Articles.

    Your information is secure and your privacy is protected. By opting in you agree to receive emails from us. Remember that you can opt-out any time, we hate spam too!

    You May Also Like

    Latest News

    Kim Jong Un attended a “paramilitary parade” with his daughter to mark the 75th anniversary of North Korea’s founding on Saturday, the country’s state...


    Target said Tuesday that it will close nine stores in major cities across the country, citing violence, theft and organized retail crime. The company will...


    A U.S. District Court judge Thursday blocked implementation of a new Idaho law that would prevent transgender students from using restrooms, locker rooms and...


    The Consumer Price Index hit 3.2% in July, compared with 3% in June, the Bureau of Labor Statistics reported Thursday. Once again, food prices...

    Disclaimer:, its managers, its employees, and assigns (collectively “The Company”) do not make any guarantee or warranty about what is advertised above. Information provided by this website is for research purposes only and should not be considered as personalized financial advice. The Company is not affiliated with, nor does it receive compensation from, any specific security. The Company is not registered or licensed by any governing body in any jurisdiction to give investing advice or provide investment recommendation. Any investments recommended here should be taken into consideration only after consulting with your investment advisor and after reviewing the prospectus or financial statements of the company.

    Copyright © 2023