All of the big pharmacy chains in the US hand over sensitive medical records to law enforcement without a warrant—and some will do so without even running the requests by a legal professional, according to a congressional investigation.
The revelation raises grave medical privacy concerns, particularly in a post-Dobbs era in which many states are working to criminalize reproductive health care. Even if people in states with restrictive laws cross state lines for care, pharmacists in massive chains, such as CVS, can access records across borders.
Lawmakers noted the pharmacies’ policies for releasing medical records in a letter dated Tuesday to the Department of Health and Human Services (HHS) Secretary Xavier Becerra. The letter—signed by Sen. Ron Wyden (D-Ore.), Rep. Pramila Jayapal (D-Wash.), and Rep. Sara Jacobs (D-Calif.)—said their investigation pulled information from briefings with eight big prescription drug suppliers.
They include the seven largest pharmacy chains in the country: CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores, Inc., The Kroger Company, and Rite Aid Corporation. The lawmakers also spoke with Amazon Pharmacy.
All eight of the pharmacies said they do not require law enforcement to have a warrant prior to sharing private and sensitive medical records, which can include the prescription drugs a person used or uses and their medical conditions. Instead, all the pharmacies hand over such information with nothing more than a subpoena, which can be issued by government agencies and do not require review or approval by a judge.
Three of the pharmacies—CVS Health, The Kroger Company, and Rite Aid Corporation—told lawmakers they didn’t even require their pharmacy staff to consult legal professionals before responding to law enforcement requests at pharmacy counters. According to the lawmakers, CVS, Kroger, and Rite Aid said that “their pharmacy staff face extreme pressure to immediately respond to law enforcement demands and, as such, the companies instruct their staff to process those requests in store.”
The rest of the pharmacies—Amazon, Cigna, Optum Rx, Walmart, and Walgreens Boots Alliance—at least require that law enforcement requests are reviewed by legal professionals before pharmacists respond. But, only Amazon said it had a policy of notifying customers of law enforcement demands for pharmacy records, unless there were legal prohibitions to doing so, such as a gag order.
HIPAA and transparency
The lawmakers note that the pharmacies aren’t violating regulations under the Health Insurance Portability and Accountability Act (HIPAA). The pharmacies pointed to language in HIPAA regulations that allow for health care providers, including pharmacists, to provide medical records if required by law, with subpoenas being a sufficient legal process for such a request. But, the lawmakers note that the HHS has discretion in determining the legal standard here—that is, it has the power to strengthen the regulation to require a warrant, which the lawmakers say it should do.
“We urge HHS to consider further strengthening its HIPAA regulations to more closely align them with Americans’ reasonable expectations of privacy and Constitutional principles,” the three lawmakers wrote.
They also pushed for pharmacies to do better, encouraging them to follow the lead of tech companies. “Pharmacies can and should insist on a warrant, and invite law enforcement agencies that insist on demanding patient medical records with solely a subpoena to go to court to enforce that demand. The requirement for a warrant is exactly the approach taken by tech companies to protect customer privacy.” The trio noted that Google, Microsoft, and Yahoo have since 2010 required law enforcement to have a warrant in order to obtain customers’ emails.
Also noting tech companies’ lead, the lawmakers encouraged pharmacies to publish annual transparency reports. In the course of the investigation, only CVS Health said it planned to do so.
“Americans deserve to have their private medical information protected at the pharmacy counter and a full picture of pharmacies’ privacy practices, so they can make informed choices about where to get their prescriptions filled,” the lawmakers wrote.
For now, HIPAA regulations do grant patients the right to know who is accessing their health records. But, in order to do so, patients have to specifically request that information—and almost no one does that. “Last year, CVS Health, the largest pharmacy in the nation by total prescription revenue, only received a single-digit number of such consumer requests,” the lawmakers noted.
“The average American is likely unaware that this is even a problem,” the lawmakers said.