Healthcare Information Security

Patient Privacy News

Report: Walgreens ‘Well Experience’ exposed patient data

By Patrick Ouellette

- Even when an organization such as Walgreens that handles protected health information (PHI) tries to improve the consumer experience, it must tread lightly in doing so. Within the past year or so, Walgreens has released its “Well Experience” model in which pharmacists are out in the stores and consulting with customers at desks out on the floor instead of behind a counter. However, a September 2013 report by advocacy group Change to Win (CtW) highlights some of the privacy infractions that may occur as a result of the new program.

Though there were other concerns, such as the pharmacists being distracted during patient discussions, but the larger issue appeared to be that the pharmacists were leaving their desks unattended and potentially exposing patient data. The CtW study said “Among the types of paper information unattended were doctors’ prescriptions; completed health test authorization forms including patient medical history or test results; and patient call lists, listing patient names, telephone phone numbers, and prescribed drugs.”

Additionally, CtW said reported that HIPAA-protected patient information, such as medical histories, was left unattended open to the public in 80 percent of stores. CtW filed a complaint in September with the Office for Civil Rights (OCR) for the alleged HIPAA violations. According to CtW, the OCR has begun an investigation into HIPAA violations at Well Experience pharmacies and U.S. Senator Ed Markey has called on the Walgreens to protect patient privacy at Well Experience locations.

CtW led a follow-up investigation from November 2013 to March 2014, making 52 visits to 26 Walgreens stores in Arizona, Illinois and Indiana. It found that 73 percent of stores still left PHI exposed at unattended desks and cited understaffed locations as a potential reason for the desks being left alone.

In spite of the report and pending OCR investigation, Walgreens continues to build Well Experience desks with the allegedly inadequate privacy protections. Walgreens has dealt with HIPAA violations in the recent past, as it had to make a $1.44 million payment to an Indiana woman after a pharmacist inappropriately shared her PHI. Whether OCR takes that violation into account when assessing the current situation with the wellness booths will be interesting.



SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks