Inquiry finds pharmacies share data with police
Medical details often handed over without a warrant
The nation’s largest pharmacy chains have handed over Americans’ prescription records to police and government investigators without a warrant, a congressional investigation found, raising concerns about threats to medical privacy.
Though some of the chains require their lawyers to review law enforcement subpoenas, three of the largest — CVS Health, Kroger, and Rite Aid, with a combined 60,000 locations nationwide — said they allow pharmacy staff members to hand over customers’ medical records in the store.
The policy was revealed in a letter sent late Monday to Xavier Becerra, the secretary of the Department of Health and Human Services, by Senator Ron Wyden of Oregon and Representatives Pramila Jayapal of Washington and Sara Jacobs of California.
The members, all Democrats, began investigating the practice after the Supreme Court’s decision last year in Dobbs v. Jackson Women’s Health Organization ended the constitutional right to abortion.
The revelation could shape the debate over Americans’ expectations of privacy as Texas and other states move to criminalize abortion and drugs related to reproductive health.
Pharmacies’ records hold some of the most intimate details of their customers’ personal lives, including years-old medical conditions and the prescriptions they take for mental health and birth control.
Because the chains often share records across all locations, a pharmacy in one state can access a person’s medical history from states with more restrictive laws. Carly Zubrzycki, an associate professor at the University of Connecticut law school, wrote last year that this could link a person’s out-of-state medical care via a “digital trail” back to their home state.
The Health Insurance Portability and Accountability Act, or HIPAA, regulates how health information is used and exchanged among “covered entities” such as hospitals and doctor’s offices. But the law gives pharmacies leeway as to what legal standard they require before disclosing medical records to law enforcement.
In briefings, officials with
America’s eight biggest pharmacy giants — Walgreens Boots Alliance, CVS, Walmart, Rite Aid, Kroger, Cigna, Optum Rx, and Amazon Pharmacy — told congressional investigators that they required only a subpoena, not a warrant, to share the records.
A subpoena can be issued by a government agency and, unlike a court order or warrant, does not require a judge’s approval. To obtain a warrant, law enforcement must persuade a judge that the information is vital to investigate a crime.
Officials with CVS, Kroger, and Rite Aid said they instruct their pharmacy staff members to process law enforcement requests on the spot, saying the staff members face “extreme pressure to immediately respond,” the lawmakers’ letter said.
The eight pharmacy giants told congressional investigators that they collectively received tens of thousands of legal demands every year, and that most were in connection with civil lawsuits. It’s unclear how many were related to law enforcement demands, or how many requests were fulfilled.
Only one of the companies, Amazon, said it notified customers when law enforcement demanded its pharmacy records unless there was a legal prohibition, such as a “gag order,” preventing it from doing so, the lawmakers said.
Americans can request the companies tell them if they’ve ever disclosed their data under a HIPAA “Accounting of Disclosure” rule, but very few people do. CVS, which has more than 40,000 pharmacists and 10,000 stores in the United States, said it received a “single-digit number” of such consumer requests last year, the letter states.
CVS, the country’s largest pharmacy by prescription revenue, said in a statement that it is compliant with HIPAA and that its pharmacy teams are “trained on how to appropriately respond to lawful requests from regulatory agencies and law enforcement.”
“We have suggested a warrant or judge-issued subpoena requirement be considered and we look forward to working cooperatively with Congress to strengthen patient privacy protections,” company spokesperson Amy Thibault said.
Most investigative requests come with a directive requiring the company to keep them confidential, she said; for those that don’t, the company considers “on a case-by-case basis whether it’s appropriate to notify the individual.” The company intends to begin publishing a transparency report that will include information on third-party record requests starting in the first quarter of next year, she said.
HHS did not immediately respond to requests for comment.
A Walgreens spokesperson said the company’s law enforcement process follows HIPAA and other applicable laws. A Walmart spokesperson said the company takes its “customers’ privacy seriously as well as our obligation to law enforcement.”
The other companies, including Amazon, did not respond to requests for comment. Amazon founder Jeff Bezos owns The Washington Post.
Carmel Shachar, an assistant clinical professor at Harvard Law School who researches health law and policy, said that pharmacies hold a “ton of sensitive data” and that pharmacists are probably not trained to evaluate the merits or validity of a police request — or to turn an officer down.