CVS is asking customers to give up privacy protections under HIPAA and allow the company to share their drug purchase information in order to participate in its expanded rewards program, the Los Angeles Times reports.
In February, CVS expanded its ExtraCare rewards program to include prescription drug purchases.
Details of the Program
Under the CVS ExtraCare Pharmacy & Health Rewards program, customers can earn $5 in store credits for every 10 prescriptions they fill at the pharmacy, with a maximum credit of $50 annually.
Participants in the program must "sign a HIPAA Authorization to join" and "re-sign the HIPAA Authorization once per year to retain active enrollment," according to the company's website. CVS also notes that participants must acknowledge that their "health information may potentially be re-disclosed and thus is no longer protected by the federal Privacy Rule."
Concerns About Program
The authorization form allows CVS "to record the prescription earnings of each person who joins" the program, according to the company's site.
However, the site does not clarify that HIPAA protects individuals' rights over their health information and "sets rules and limits on who can look at and receive [individuals'] health information," according to the Times.
It notes that CVS also does not disclose:
- With whom the company potentially could share customers' health information; or
- For what purpose individuals' health information could be shared.
The Times notes that Walgreen and Rite-Aid also have prescription drug reward programs, but neither program requires participants to sign a HIPAA authorization agreement.
CVS spokesperson Mike DeAngelis said the company only uses the authorization "to count the number of prescriptions [participants] are filling" in order to allot store credit.
He said, "We have extensive procedures, stringent policies and state-of-the-art technology in place to protect our customers' personal and health information," adding, "We do not sell, rent or give personal information to any non-affiliated third parties."
However, DeAngelis declined to comment on what CVS means by its statement that customers' health information "may potentially be re-disclosed" (Lazarus, Los Angeles Times, 8/15).