Healthcare Information Security

HIPAA and Compliance News

Privacy and security experts respond to CVS HIPAA waivers

By Patrick Ouellette

- From both a patient privacy and legal perspective, news that CVS ExtraCare Pharmacy & Health Rewards program calls for patients to sign a HIPAA waiver sparks opposing views. Some patients may not care that their data is being mined for internal CVS marketing or even possibly sold to other pharmaceutical companies as long as they receive up to $50 in rewards money. But as for whether CVS can and should be requiring patients to fill out these waivers makes for interesting discussion. These LinkedIn comments from the “All Things HITECH” group help provide diverse viewpoints on the topic of pharmacy patient privacy rights and whether CVS was in the right from a legal standpoint.

Robert Zimmerman, Partner at Deloitte, Information Technology and Risk Management:

Very interesting. Why the need to ask people to waive their HIPAA privacy rights? Even if CVS is not selling protected health information (PHI) to anyone else, it is obviously using it internally for marketing, tracking or other purposes. I don’t think $50 is worth giving up my right to privacy. Unfortunately, looks like CVS is being clear with their message.

Chris Apgar, CISSP, CEO and President of Apgar & Associates, LLC:

It sounds like CVS may be headed for another Office for Civil Rights (OCR) headline. As a covered entity, CVS may have a problem – violating the HIPAA privacy Rule provision that prohibits asking patients to waive their privacy rights.

Dennis Melamed, President at Melamedia, LLC:

You raise an interesting point, Chris. But it doesn’t look like CVS is conditioning treatment on waiving. It’s saying we’ll give you discounts if you absolve CVS of any possible harm from giving the company your data. I’ve always thought that you can do a lot of things as long as you get patient permission. So the questions here is whether customers or “patients” are fully aware of what they are doing and what kinds of standards do we need for awareness (or consciousness) and that leads to a related question over the utility of notices.

I would also suggest that pharmacy companies, such as CVS, represent a canary in the cage for all things privacy and security related. That’s because CVS and similar companies are both healthcare and consumer companies, and thus governed by a variety of privacy and security regulations. I see the same thing coming (and already here) when it comes to software and the vague distinctions between medical products that come under the purview of treatment (and FDA regulation) and consumer products generally. Because of software, the lines between healthcare and non-healthcare activities is sometimes hard to draw.

Stephen Frew, VP- Risk and Compliance Consultant at Johnson Insurance Services LLC:

If CVS gets away with this, every provider can structure a “benefit” program that can provide legal consideration for a waiver of HIPAA and avoid privacy entirely. It will be even easier in the commercial world where contract terms trump legal rights in many cases. The only good thing is they are apparently being upfront about it. On the consumer protection and privacy side, however, it appears very contrary to public policy.

It could be argued that in reality, they are charging you MORE if you insist on your legal rights than if you waive them and let them do what they want with your info.



You are correct about that. But that is how things often work now.  It is certainly how many freebies work.  Again, I think this problem will be more prevalent for “providers” like pharmacies, with a more consumer emphasis, and possibly medical device providers than in areas in which we conventionally think of treatment. One reason I say this is that we have a tough time now figuring out what the cost of healthcare costs us (or health insurer) now.  That theory goes out the window if your doctor works at 7/11

Michael Rogers, Information Security Analyst at Grand View Hospital:

In all honesty, the first step I would take is to find another pharmacy. We should be aggressive with all businesses that have repositories of patient healthcare information. Sign a form releasing them from responsibilities…how about you sign a form saying your HIPAA compliant before I use you!


Michael, I agree with the changing pharmacies, but I did not advocate that because I already use a pharmacy other than CVS.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...