Lawmakers Push For Increased Patient Privacy Regarding Prescription Records

December 21, 2023 - Lawmakers have urged HHS to consider revising HIPAA to further protect patient privacy after observing routine disclosures of patient information from major pharmacy chains to law enforcement agencies without warrants.

Senator Ron Wyden (D-OR), Representative Pramila Jayapal (D-WA), and Representative Sara Jacobs (D-CA) penned a letter to HHS Secretary Xavier Bacerra to share “concerning findings” from a recent oversight inquiry into the privacy practices of pharmacies.

“Through briefings with the major pharmacies, we learned that each year law enforcement agencies secretly obtain the prescription records of thousands of Americans without a warrant. In many cases, pharmacies are handing over sensitive medical records without review by a legal professional,” the lawmakers wrote.

“Although pharmacies are legally permitted to tell their customers about government demands for their data, most don’t. As a result, many Americans’ prescription records have few meaningful privacy protections, and those protections vary widely depending on which pharmacy they use.”

In the wake of the Supreme Court’s decision to overturn Roe v. Wade, the three lawmakers set up briefings with the nation’s seven largest pharmacy chains – CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores, Inc., The Kroger Company, and Rite Aid Corporation, along with Amazon Pharmacy.

READ MORE: CISA’s Healthcare Risk and Vulnerability Assessment Reveals Sector-Wide Improvement Areas

Five of the eight total companies surveyed told the lawmakers that they require law enforcement demands for pharmacy records to be reviewed by legal professionals before responding to their requests. However, three pharmacy chains (CVS Health, Kroger, and Rite Aid) attested that their pharmacy staff “face extreme pressure to immediately respond to law enforcement demands.”

As a result, those three pharmacies instruct their staff to process the requests in the store.

What’s more, all of the surveyed pharmacies said that they do not require a warrant prior to sharing pharmacy records with law enforcement agents, with the exception of when state law requires a warrant.

“Those pharmacies will turn medical records over in response to a mere subpoena, which often do not have to be reviewed or signed by a judge prior to being issued,” the letter continued.

“To justify this low standard of protection, several pharmacies cited language in HHS regulations that allow healthcare providers to disclose such records if it is required by law, pursuant to legal process, or pursuant to an administrative request.”

READ MORE: DOJ Disrupts BlackCat Ransomware Variant, Offers Decryption Key to Victims

Because HIPAA gives HHS the ability to determine legal processes surrounding the disclosure of medical records, the lawmakers suggested that it is up to HHS to revise its standards to require a warrant and further protect prescription records.

“Pharmacies can and should insist on a warrant, and invite law enforcement agencies that insist on demanding patient medical records with solely a subpoena to go to court to enforce that demand,” the letter stated.

From the start of the inquiry, CVS Health had a policy in place to publish annual transparency reports on law enforcement demands. Walgreens and Kroger adopted this practice shortly after, providing journalists and policymakers with insight into how often law enforcement agencies request sensitive information from these companies.

The inquiry also revealed that Amazon Pharmacy was the only surveyed pharmacy that had a policy in place for notifying customers about law enforcement demands for pharmacy records.

“However, the HHS regulations put the burden on Americans to request medical record disclosure data, rather than requiring health care providers to notify their patients,” the lawmakers noted. “Consequently, few people ever request such information, even though many would obviously be concerned to learn about disclosures of their private medical records to law enforcement agencies.”

READ MORE: OCR Settles Multiple HIPAA Right of Access Complaints With Optum Medical Care

With these considerations in mind, the three lawmakers suggested that there are inconsistencies in how pharmacies approach patient privacy, and current regulations make it difficult for patients to seek out information and to understand how their pharmacies protect their records.

“Moving forward, HHS should address the shortcomings in pharmacy privacy practices identified in our inquiry by revising the HIPAA standard for legal process for disclosure as it finalizes the upcoming regulation, conducting regular pharmacy privacy policy surveys and publishing the findings in an easily understandable format,” the lawmakers concluded. “Americans’ health records deserve the greatest degree of protection available in law.”

In April, the HHS Office for Civil Rights (OCR) addressed a subset of these concerns by issuing a Notice of Proposed Rulemaking (NPRM) with the goal of strengthening HIPAA Privacy Rule protections for those seeking and delivering reproductive healthcare.

The NPRM would prohibit the use or disclosure of protected health information (PHI) for the purposes of investigating or prosecuting patients, providers, and others involved in the provision of legal reproductive healthcare, including abortions.

The proposed rule shows that HHS is looking to bolster privacy protections for those seeking reproductive care. But the three lawmakers are now seeking a sweeping measure that would protect all pharmacy records from law enforcement in the absence of a warrant, which may be more challenging to get HHS on board with.