CVS customers can sign away their privacy and receive $5 store credit as a reward.
The CVS ExtraCare  Pharmacy & Health Rewards programs offers customers the chance to earn $5 worth of store credit for every 10 filled prescriptions – with a $50 per year max. The store chain has been pushing its new prescription rewards program since February, and pharmacists are being told to try and get customers to enroll.
When CVS prescription rewards program patrons sign on the dotted line and accept the $5 store credit offer, they are also giving away their federal privacy safeguards. That pesky small print which tends to come back to haunt less-than-diligent consumers is utilized to its fullest at the CVS pharmacy. Once customers become prescription rewards program participants, CVS has the authority to share their drug purchase history.
“It’s very troubling,” Privacy Rights Clearinghouse Director of Policy and Advocacy Paul Stephens said. “Your medical information is very sensitive. Pharmaceutical companies obviously would want to know what you’re taking and get you to buy more expensive medicines.”
Both Rite-Aid and Walgreens offer similar prescription rewards programs, but company officials maintain that the relinquishment of federal privacy protections is not required for membership. The fine print contained in the CVS pharmacy  agreement states that everyone who enrolls in the program must also sign a HIPAA authorization form to join and then re-sign the same form upon annual enrollment.
Under HIPAA – the Health Insurance Portability and Accountability Act – medical professionals cannot give away consumers’ medical records without consent. A federal government website says that HIPAA “gives you rights over your health information and sets rules and limits on who can look at and receive your health information.”
The CVS website lists frequently asked questions, such as, “Why do I need to sign a HIPAA Authorization?”
“The HIPAA Authorization allows CVS pharmacy to record the prescription earnings of each person who joins the ExtraCare Pharmacy & Health Rewards program,” the CVS answer reads.
The response neglects to explain what HIPAA is or how the federal law protects private medical information. If a doctor, pharmacy, hospital, dentist, or insurance agency violates the HIPAA rules, they could face both criminal and civil penalties and up to $1.5 million fines for each individual violation.
“Nowhere does CVS clarify what HIPAA is,” Los Angeles Times columnist David Lazarus wrote. “… It’s a serious omission. What CVS calls a “HIPAA Authorization,” therefore, is not to be taken lightly.”
CVS ExtraCare  spokesman Mike DeAngelis maintains that the company utilizes “state-of-the-art technology” to protect member’s health and personal information. DeAngelis went on to claim that CVS does not share private information in any way with non-affiliated third parties. But, since the patron has cast aside their HIPAA  protections, the company could choose to do so if it wanted.
The LA Times’ Lazarus said CVS is acquiring customers’ private information through “questionable means.”
“CVS assumes you are aware of what it means to no longer be protected by HIPAA, although, again, it hasn’t spelled out the implications of giving up your HIPAA rights,” Lazarus wrote. “Nor has CVS disclosed with whom your previously confidential medical information may be shared and for what purposes.”
Andrew Hicks, of Coalfire Systems, a consulting firm that works with client on HIPAA, said it’s no small thing to sign away HIPAA protections.
“Without HIPAA, they could be shipping data to who knows where,” Hicks told the newspaper. “As a consumer, you’d have no idea where your information is.”
The Times’ Lazarus wondered why Rite-Aid and Walgreens – and not CVS – “have found ways to reward drug customers without violating their HIPAA protections.”
“What is it about CVS’ program that necessitates customers abandoning their federal privacy rights?” he asked. “CVS isn’t saying. But $50 worth of store credits is hardly fair compensation for such a marketing prize.”