This is obscene:
The nation’s largest pharmacy chains have handed over Americans’ prescription records to police and government investigators without a warrant, a congressional investigation found, raising concerns about threats to medical privacy.
Though some of the chains require their lawyers to review law enforcement requests, three of the largest — CVS Health, Kroger and Rite Aid, with a combined 60,000 locations nationwide — said they allow pharmacy staff members to hand over customers’ medical records in the store.
I find this to be absolutely flabbergasting. There is literally no fucking upside for them to release these records without a warrant and they may have violated who knows how many codes and laws. I need to know which pharmacy chain, if there is one, who will fight this shit.
Alison Rose
That sound you just heard was Orwell spinning his grave.
NotMax
Rite Aid is one of those companies shuttering locations left and right. A year from now could be they’re but a memory.
Snarki, child of Loki
The only way this gets fixed is if the complete pharmacy records of GOP politicians and their families get released.
dlwchico
CVS Caremark does a ton of mail order prescriptions (including mine).
Evap
So glad we have a local independent pharmacy in my ‘hood. The pharmacist is awesome and has saved many lives with narcsn
Yarrow
So someone could claim to be a cop and get all the pharmacy records they want. I know the claiming to be a cop is illegal but it doesn’t sound like those pharmacies check much.
pacem appellant
According to the WaPo article, this isn’t illegal; here’s a HIPAA carve-out for pharmacies. Weirdly, only Amazon’s pharmacy requires warrants.
Martin
You say that like it was a deliberate act. It wasn’t. This outcome is due to administrative structure, I guarantee it.
I was one of those people who would be contacted by law enforcement, etc. Shit, after 9/11 I practically had an FBI agent in my office every minute I was there for a month. But I was well trained in terms of what my role and responsibility was for a warrant, a subpoena, and so on. That training was renewed regularly – at least once a year, usually twice a year. I knew a wide variety of institutional policies, state laws, and federal laws related to individual privacy. We had laws on information retention we followed to the letter. I had a team of lawyers I could consult (and in many cases was required to consult) before I did anything. And I had the authority to say ‘no’ when I was uncertain and wouldn’t be punished if that meant a task would take 5x longer as a result.
Institutionally we had breakdowns of this system and every single time it was because someone backed off, to save money, to save time, because they thought it was annoying, because giving an employee authority to say no meant we had to pay them more (raises job classification) and so on. Every time. Without exception. Not once was it deliberate on the part of the employee, it was always a consequence of an administrative decision made elsewhere.
rikyrah
Without.a.phucking.warrant.
I could have put on a police uniform that I rented at a costume store.
And, went and got people’s PRIVATE MEDICAL RECORDS.
Ohio Mom
When HIPPA started, I waded through the fine print. My very uninformed impression then was that the promised privacy mainly extended to people in the patient’s family and social circles. There were all sorts of exceptions for various government and law enforcement agencies.
But as the saying goes, IANAL, someone who is may have a more accurate reading.
Rusty
What the hell were their legal departments doing? Every large corporate legal department has a privacy specialist, which would be especially important for any company that touches medical records. If the report is true, there needs to be some major housecleaning and serious oversight. I hope they all have the shit sued out of them.
Brachiator
@pacem appellant:
Is this some deliberate offshoot of the war on drugs?
sab
My husband uses CVS. I go to the local pharmacy in our local grocery store chain. I do not understand his loyalty. My guys are good and helpful. CVS prices high. Pharmacist too busy to talk to customers. Every couple of months a fuckup. I realize his old pharmacist from when CVS took over was great, but that guy retired and they closed his store.
smith
One of the most dangerous aspects of this is the ease with which law enforcement in uterus-slave states can get information about prescriptions for abortion medication from pharmacy branches in free states.
pacem appellant
@Brachiator: The WaPo article doesn’t say. I hope investigative journalists follow-up to learn how we got here. Up until reading the article, I assumed that HIPAA meant my medical data were safe-ish. This is apparently—and legally—not the case.
trollhattan
@Evap: narcsn
I read that as a portmanteau of Narcan and sarcasm, proving one again that medication and sardonic humor are important weapons in healthcare.
Martin
Same thing happened recently with Verizon, btw.
Now, this one falls on a few parties. For one, these legal requests are all over the damn place in terms of format and structure, so it’s not like there’s any way to validate these on receipt unless you’re really familiar with them. Microsoft has better document security on the Windows license that comes with your computer than a warrant does. But courts make it difficult to verify that one of these documents is valid, mostly due to budget cuts, but also due to antiquated methods.
Ohio Mom
I am thinking there’s no profit in refusing to turn records over, only potential expense. Turning them over in contrast, hardly costs anything, just a little staff time.
Pharmacy chains are like every other part of the medical industrial complex, completely greedy.
lowtechcyclist
We had an independent pharmacy here, but the people who owned it wanted to retire, and sold it to CVS, which is where our prescriptions have been in the fifteen years or so since.
I can’t imagine any way that law enforcement would gain anything by access to our prescription info, but still, that sucks.
And as smith points out, that could be downright dangerous for women of childbearing age in a lot of red states.
Bill Arnold
@smith:
If they’re doing it for law enforcement without a warrant, they’re doing it for anyone who asks that they feel like cooperating with, maybe in return for a $100 bill, or sexual favors, or because they suggest that a lack of cooperation might result in trouble (and your kids go to school X), or otherwise harm them.
And it’s not just abortion medication, though that may be among the worst potential abuses. Proof of many medical conditions can be used to destroy the reputations of people for other reasons.
VeniceRiley
Yes. This is to target women. And probably trans people. Handmaid’s Tale.
Brachiator
@Ohio Mom:
But I guess I presumed that there was already some specific law covering this.
Can law enforcement go to a hospital and get your treatment records?
Martin
@pacem appellant: So, part of our challenge was that different parts of a persons record are covered under different laws. This creates a real problem. If you get a warrant from agency A that covers certain things, you have to redact the parts of the record that aren’t covered. One way to handle this is to segregate different parts of the record, so that CVS clinic data doesn’t get passed along with CVS pharmacy records. As these businesses expand into new areas, they quite often fuck up that part.
I should note, when I was dealing with a potential shooter in my job, this segregation of records was a big part of the problem because people didn’t want to do the work to release their records to people with other authorization in order to put a complete picture together. It happened at a time of year when everyone was busy and didn’t feel they could drop everything for a few hours to pull the lawyers in.
This showed up a lot under Covid as well. There are HIPAA carveouts for public health, to allow for things like contact tracing. But that’s not a part of the law that we exercise often, so everyone who we needed to be involved in that effort just instinctively said ‘no’ and again, we needed to haul in a small army of lawyers (who themselves were unfamiliar with this and had to take time and do some research) and carefully walk us through stuff. If you have a student record, and they tell student health something vs telling our hospital something – different laws, different disclosures. If they tell it to disability services – different. A campus therapist – different. An academic advisor – different. A professor – different.
You can navigate it, it’s not THAT bad, but you have to take the time and effort to navigate it. That 9/11 period was fucking awful, because the FBI were NOT patient, and were people I knew well from doing background check interviews for security clearances, but I had to navigate this properly. Sometimes the police make it harder than necessary to comply.
cain
@smith: Yeah, which means that law enforcement in RED states can do a verify check maybe while pulling over someone going through their state.
That’s some dangerous shit – it will make driving more dangerous. Shit, I’ll just go on a bus instead or by train.
(assumption is that they can just ask electronically – but once they pull you over they have your name and could charge you afterwards or create an alert of some sort and if you’re texas – hey, some folks sue you)
sab
@Brachiator: Of course it is, as cover for just plain old-fashioned spying.
Anoniminous
@Brachiator:
Source: “Guidelines for Releasing Patient Information to Law Enforcement” American Hospital Association
Martin
There’s a lot of potential cost in turning them over. These kinds of lawsuits tend to be VERY expensive.
But I suspect that profit is not a factor, at least not directly. You have some overworked employee processing these requests just trying to hold onto their job, or leave for the day. CVS is doing everything they can to streamline this process, and if I’m being generous to them and suggesting they *don’t* want to break a law, they’re still going to remove safeguards not realizing how important those safeguards are. I had so many fights around that – even with database developers about how a record should be structured and protected, or how user logging should be done to protect who can see what parts of a record.
There are plenty of cases where an employee is authorized to release x and y, but they have database access to z so they release z because they think their access and authorization map 1:1. Shit like that is constant. And you can eliminate that by slowing the whole process down, having training and procedures that draw attention to them not being 1:1. Sometimes giving employees MORE agency to interpret prevents this, because if they job is ‘reply to these’ and not ‘determine if we should reply to these’, then they’re just doing their job.
The cheapest long term solution for a company is to let the lawyers handle it completely and avoid the lawsuits. But it’s rare that administrative decisions are made with that kind of holistic view, because I’m trying to balance my budget, not CVSs budget, and if cutting this step out balances it but exposes CVS to a lawsuit, well, that cost isn’t out of my budget – that’s not my problem. I can only be responsible for the things I’m authorized to be.
artem1s
From The Record article, not paywalled …
HIPAA rules on pharmacy records are currently under review by HHS’s Office of Civil Rights, which has said it is focusing on better protecting reproductive health care information.
Amazon, the only other of the eight companies to comment, said it is committed to protecting its customers’ privacy and noted that records’ requests from law enforcement are very rare.
“When required by law, we cooperate with law enforcement officials and comply with court orders,” the statement said. “Amazon Pharmacy notifies a customer prior to disclosing health information to law enforcement as long as there is no legal prohibition to doing so.”
Among the changes being considered by HHS’s Office of Civil Rights are new protections banning the use or sharing of protected health data to identify, investigate or prosecute providers and “others involved in the provision of legal reproductive health care, including abortion,” according to the HHS website.
This shit has been around at least since the Bush era War on Drugs. FFS, Dense tried to force Indiana women to report on their menstrual cycles. BTW, didn’t we just have a whole post about how the MSM whipped up the wingnuts with a bunch of poorly interpreted statistics on inventory loss? This congressional investigation is shedding light on these practices and will probably result in real changes that will help keep private info private. And protect pharmacies when they are pressured into handing over their customers records. I’m sure Walgreens feels completely justified today in deciding to never dispense plan B drugs again. Rolling heads won’t be particularly helpful if the result of all the outrage is pharmacies just refuse to dispense controversial meds. You know like hormone therapies.
Martin
@Brachiator:
It depends. It depends on what they want to know, it depends on what court order they have. And HIPAA isn’t the only law that covers this stuff.
And retention of these documents is also important. If you are required to retain them for 5 years, and you don’t purge them after 5, they can still be requested. You can’t say ‘oh, my bad, I should have shredded those, you can’t have them’. So if the patient thought they were free and clear because they hadn’t been treated in that period of time, but the provider didn’t clear out their records, then those records can still be requested.
So we were diligent about purging because you can’t turn over a record that doesn’t exist. This is also why you don’t document what doesn’t need to be documented. This is why you document in the correct place. Do you put the patients conditions in the admittance record which is covered by different laws than the patient record? And so on and so forth.
brendancalling
@Evap: we have a few nearby in Philly. I’m switching from CVS if possible.
Martin
@artem1s: I will say that tech companies tend to be pretty good at this stuff. Not because they are noble, but because they are organized. They are more likely to have well organized centralized records and can centralize compliance with people that are better experts at this. I had a friend that worked an IT job that implemented the compliance part and described how it worked there (Facebook), and it was actually really, really good. They may leak your data to anyone that hands them cash, but their subpoena compliance seems to be quite well handled. My guess is that Amazon is comparably centralized and capable.
But if the pharmacies handle these requests locally or regionally, they aren’t going to do it well. There’s also the problem of a CA agency avoiding CA health laws by contacting a CVS in Texas with different laws, but still with access to that same database. That has to be part of the process as well – does CVS have to comply with Texas law for a request in Texas for a CA patient who has never been to Texas?
sab
John Cole: whose heads roll? The minimum wage pharmacy workers who released it per gov request, or the higher’ups who gave them no guidance, knowing this was likely.?
Ben Vernia
Just as outrageous (and kind of related) was the Supreme Court’s decision in Sorrell v. IMS Health, Inc. (2011). Pharmacies make side money by selling prescribing data of doctors. While this doesn’t disclose patient information (i.e., who got the prescription), it is a key data point in pharma sales and marketing.
So, you’re a pharma rep (and former HS cheerleader), and you ask Dr. Brown if he/she will prescribe, say, Oxycontin. He/she assures you they will, and you invite them to a fancy dinner for “continuing medical education” at the nicest restaurant in town. At the end of the month, you get Dr. Brown’s prescribing data from IMS, and you find out that Dr. Brown didn’t increase Oxycontin prescriptions at all. So you can call them out on it and suspend their dining privileges until you see the numbers rise.
Vermont quite reasonably outlawed this. SCOTUS ruled that it violated IMS’s first amendment rights.
eversor
This is not obscene or wrong. This is Christian. If we have Christian this must be the norm. You have rights or Christianity. You don’t get both. So anyone who doesn’t want to get rid of Christianity owns this. Each, single, fucking one. There is your fucking Christianity. Now own it. Or be a bigger liar than Trump. You defend the bible you put the rest of us as second rate humans.
Many people here own it, and will own it to their graves. Are you not against Christianity? If not, you got what you defended. And you own all of it.
Baud
@eversor:
Republican voter says what?
Harrison Wesley
So ‘CVS’ actually stands for ‘Christian Value System?’ I did not know that.
japa21
Okay, who said the name 3 times?
Alison Rose
@japa21: At this point, I expect them to start their shit in the gardening threads. WE ONLY HAVE APHIDS BECAUSE OF CHRISTIANITY!!!!!!
japa21
@Alison Rose:
You made me laugh out loud. Something I usually don’t do.
Alison Rose
@japa21: My work here is done!
Goku (aka Amerikan Baka)
@Baud:
LMAO. Never let them live that down. And it was like pissing into the wind with Dems sweeping the VA leg
Odie Hugh Manatee
IMO Walmart is a useful distraction for Kroger, which itself is a real threat to both consumers and workers.
eclare
@Baud:
Thank you.
RedDirtGirl
@japa21: LOL!
Tony G
I’m not a lawyer — but doesn’t this behavior violate the HIPAA law??? I was working in I.T. at a large New York City hospital at the time that HIPAA took effect, and management promised to fire anyone who didn’t properly secure databases that had patient data.
karensky
@sab: I don’t get it either! People in general will stick with a doctor who is a jerk and even one who misdiagnoses serially. Same is true of banks who have bad service and in the case of Wells Fargo steal from customers. 18 month ago I switched from CVS to a neighborhood pharmacy and I am happy with the services available.
Anonymous At Work
IAAL and I deal in HIPAA. There are specific HIPAA “exceptions” (the term in the law) for when a covered entity may properly release Protected Health Information to law enforcement without signed authorization to law enforcement.
Warrants, subpoenas, etc. are a major one. Emergent issues (not emergency per se but strong belief that they are needed in a specific and particular situation that may involve a crime) are another. But each exception is SPECIFIC. “Women who are sexually active receiving potential abortifacients” would, in my unresearched opinion, be suspect.
HIPAA also provides HARSH penalties for breaches. If you want to know why your company’s legal department takes HIPAA so seriously, it’s because the penalties are huge and can snowball quickly.
This will need follow-up and I suspect heads will roll.
Yarrow
@karensky:
Not everyone has this luxury. With my insurance I have a choice between two large chain pharmacies. Otherwise I’m out of network and nothing will be covered.
Evap
@trollhattan: it was a typo but I like your version!
Kineslaw
I spent a few months working at a state Board of Pharmacy ~15 years ago. EVERY major screw up that resulted in death/major complications was CVS. They were obviously operationally poor from the top down and don’t seem to have changed.
Snarki, child of Loki
I switched from CVS to GIT, and it was a much better experience.
mvr
Crap. I quit using Walmart when I found out they funded ALEC and thus indirectly one party rule in Wisconsin. Now where do I go?
I guess the good news is that my University just switched away from CVS/Caremark for mail order free generics, who I actually liked using for convenience. But I guess the privacy isn’t so great.
Mr. Bemused Senior
@Snarki, child of Loki: IEBUPDTE
Gah.
Tony G
@Anonymous At Work: Good. I hope that these corporations — and their CEOs — are slammed quickly and hard.
vasiliy
@Snarki, child of Loki: …to the tabloid press.