By Pat Anson, PNN Editor

Three of the nation’s largest pharmacy chains -- CVS, Kroger and Rite Aid – allow staff in their pharmacy stores to routinely hand over prescription records to law enforcement without a warrant, according to congressional investigators. In most cases, pharmacy customers are never informed that their medical records have been provided to law enforcement or why they were being sought.   

The policies were revealed in a joint letter sent to Health and Human Services Secretary Xavier Becerra by Sen. Ron Wyden (D-OR) and Reps. Pramila Jayapal (D-WA) and Sara Jacobs (D-CA), who have been looking into the privacy practices of major pharmacy chains.

“Americans' prescription records are among the most private information the government can obtain about a person. They can reveal extremely personal and sensitive details about a person’s life, including prescriptions for birth control, depression or anxiety medications, or other private medical conditions,” Wyden, Jayapal and Jacobs wrote in their letter, which was first reported on by The Washington Post.

Congressional investigators asked eight major pharmacy chains about their policies for dealing with law enforcement requests for prescription records. Five of them — Amazon Pharmacy, Cigna, Optum Rx, Walmart and Walgreens —- said the requests are automatically reviewed by legal professionals before responding.

“The three remaining pharmacy chains — CVS Health, The Kroger Company, and Rite Aid Corporation — indicated that their pharmacy staff face extreme pressure to immediately respond to law enforcement demands and, as such, the companies instruct their staff to process those requests in the store,” the letter said.

“CVS Health and the Kroger Company both defended this practice, arguing that their pharmacy staff — who are not lawyers or paralegals — are trained to respond to such requests and can contact the legal department if they have questions.”

All eight pharmacy chains said they do not require a warrant to share pharmacy records, unless there is a state law that dictates otherwise. Only three states – Louisiana, Montana and Pennsylvania – have laws that require a warrant signed or reviewed by a judge before medical data is disclosed.

HIPAA Privacy Issues

Law enforcement agencies are not covered by the Health Insurance Portability and Accountability Act (HIPAA), which protects patient privacy. The pharmacy chains are covered by HIPAA, but say they are exempt under HHS regulations that allow healthcare providers to disclose patient records to law enforcement if it is obtained through a subpoena or a simple administrative request. Unlike warrants, subpoenas generally do not require a judge’s approval.

Congress began looking into the HIPAA policies of pharmacies after the U.S. Supreme Court overturned Roe v Wade, leaving it up to individual states to make their own laws about abortion. Some medications that induce abortions are now banned in certain states.

But the Drug Enforcement Administration and other law enforcement agencies were showing a keen interest in obtaining prescription records long before Roe v Wade was overturned. In 2020, the DEA solicited bids from contractors for a prescription drug surveillance program that would identify virtually every patient, prescriber and pharmacy that may be diverting or abusing opioids and other controlled substances.

Under the proposed surveillance program, DEA investigators would have “unlimited access” to prescription data, including the names of prescribers and pharmacists, types of medication, quantity, dose, refills and forms of payment. The names of patients would be encrypted, but if investigators suspect a medication was being abused or diverted, they could get a subpoena to identify them.

“I have talked to many patients who described things that made them believe this was occurring,” says Anne Fuqua, a disabled nurse in Alabama who needs high-dose opioids for intractable pain. At least two of Fuqua’s out-of-state physicians have been raided by the DEA and driven from medical practice without criminal charges ever being filed against them.

She’s pleased that Congress is looking into HIPAA issues at the pharmacy level, but feels that law enforcement already has easy access to patient information.  

“I'm glad that the huge potential for intrusion into a person's medical care is finally attracting attention,” Fuqua told PNN. “There are many states like Alabama where state and local law enforcement can access PDMP by simply affirming there is an active investigation in process. As long as some states permit unfettered access to the PDMP by law enforcement, the police and DEA don't really even need to contact the actual pharmacy for records related to controlled substances.”

Of the eight pharmacy chains contacted by congressional investigators, only Amazon said it automatically notifies customers if a law enforcement agency asked for their medical records, unless there is a legal reason not to do so.

Under the HIPAA Act, every American has the right to ask a healthcare provider if their medical information has been disclosed. Few people do, however. CVS said it received only a “single-digit number” of consumer requests last year.  A CVS spokesman told The Washington Post that most law enforcement requests come with a directive that they be kept confidential.

Pharmacies already face enormous scrutiny over their dispensing of opioid pain medication. Under the national opioid settlement, drug wholesalers have to limit the amount of opioids supplied to each pharmacy and are required to collect from pharmacies a list of suspicious orders and red flags that may indicate drugs are being abused or diverted. Pharmacies that don’t comply risk being “terminated” by their suppliers.

Wyden, Jayapal and Jacobs say more privacy protections are needed for pharmacy customers.

“We urge HHS to consider further strengthening its HIPAA regulations to more closely align them with Americans’ reasonable expectations of privacy and Constitutional principles. Pharmacies can and should insist on a warrant, and invite law enforcement agencies that insist on demanding patient medical records with solely a subpoena to go to court to enforce that demand,” they wrote.