Healthcare Information Security

HIPAA and Compliance News

CVS rewards program requires customers to waive HIPAA rights

By Patrick Ouellette

- It appears as though CVS Caremark has taken the “nothing in life is free” idiom to a literal level with its customer prescription-drug rewards program. Armed with the proposition of up to $50 per year of in-store credits for customers, CVS requires that those taking advantage of those rewards fill out a HIPAA waiver in which they surrender their data privacy rights.

The CVS website, according to the Los Angeles Times, says that “each person must sign a HIPAA Authorization to join” and that “you must re-sign the HIPAA Authorization once per year to retain active enrollment.” Without explaining the HIPAA rights that these customers are relinquishing, CVS explains in its FAQ section that the HIPAA authorization allows CVS pharmacies to record the prescription earnings of each person who joins the ExtraCare Pharmacy & Health Rewards program.

The HIPAA authorization’s final stage stipulates that customers understand “[their] health information may potentially be re-disclosed and thus is no longer protected by the Federal Privacy Rule.” While CVS doesn’t go into detail about how exactly the information may be used, this looks to essentially be a green light for the pharmacy giant to share patient pharmaceutical practices with other companies.

Alternatively, Mike DeAngelis, a CVS spokesman, told the Times that the ExtraCare Pharmacy & Health Rewards program. “We have extensive procedures, stringent policies and state-of-the-art technology in place to protect our customers’ personal and health information,” he said. “We do not sell, rent or give personal information to any non-affiliated third parties.”

If this statement is accurate, why do patients need to fill out the HIPAA waiver? As the Times reported, neither Rite Aid nor Walgreens ask customers to sign away their privacy rights as part of similar programs. CVS is clearly wary of HIPAA regulations and is trying to absolve itself of potential risks and violations, as even this summer it did away with patient pharmaceutical-paid refill notices.

CVS has been offering this program with these requirements since February, so this isn’t breaking news. But the Times does make a salient point that CVS isn’t doing itself any favors in the court of public opinion and patient data safety shouldn’t be compromised for the mere price of $5 for every 10 prescriptions filled.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...