Is CVS rewards program complying with California law?
CVS Caremark insists that it’s just complying with federal law by informing customers that their medical information could be “redisclosed” if they sign up for the company’s prescription-drug reward program.
Privacy experts, though, question whether CVS is complying with state law.
“California’s privacy law is stricter than federal law,” said Charles Googooian, a La Canada Flintridge lawyer who specializes in medical-privacy issues. “It doesn’t seem like CVS is complying with either the spirit or the letter of state law.”
CVS has been scrambling to defend its ExtraCare Pharmacy & Health Rewards program since I recently reported that customers are being required to give up important federal privacy safeguards in return for up to $50 a year in store credits.
CVS maintains that people must relinquish medical-privacy protections under the federal Health Insurance Portability and Accountability Act, or HIPAA, if they want their drug purchases to be applied to the rewards program.
This isn’t a small thing being asked of consumers. HIPAA “gives you rights over your health information and sets rules and limits on who can look at and receive your health information,” according to the U.S. Department of Health & Human Services.
Insurers, hospitals, doctors, dentists and pharmacies face civil and criminal penalties, including prison terms and fines of up to $1.5 million, for violating the federal law.
In response to my earlier column, CVS sent talking points to its store managers and pharmacists nationwide “to address any customer concerns” and to convey the message that “we do not ‘re-disclose’ patients’ personal information.”
Patients might have been left with that impression because the enrollment process for the rewards program includes a warning that “my health information may potentially be re-disclosed and thus is no longer protected by the federal Privacy Rule.”
Mike DeAngelis, a CVS spokesman, said HIPAA specifies that any privacy waiver must notify people of “the potential” for their information to be shared with others.
Googooian responded that this notice would apply only if a medical business foresees the possibility of such sharing.
“If they’re not going to redisclose it, they’re duty-bound to keep it private,” he said. “That’s the basic assumption of the law. You would not be required to include this language unless you wanted to open the door to disclosing people’s information.”
Walgreens and Rite-Aid have their own prescription-drug rewards programs. But neither company requires customers to forgo their HIPAA rights.
Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse in San Diego, said it’s fair for consumers to ask what makes CVS’ program so special that it needs a waiver.
“The company seems to be saying that your information is leaving CVS or may leave CVS in the future for marketing purposes,” he said.
CVS’ DeAngelis acknowledged that the pharmacy sends customers’ information to an entity not covered under HIPAA. But he said that simply means the info is going to CVS’ retail division, which oversees the ExtraCare program.
“A HIPAA authorization is required to permit ExtraCare to receive identifiable information in order to reward patients based on the number of prescriptions they fill,” DeAngelis said.
Under Section 56.11 of the California civil code, any authorization for the release of medical information must specify “the name or functions of the persons or entities authorized to receive the medical information.”
The privacy waiver also must state “the specific uses … of the medical information by the persons or entities authorized to receive the medical information.”
CVS’ waiver authorizes “CVS/pharmacy and its affiliates to share my prescription and other health service records, including my email address, with the ExtraCare program to enroll me in and administer the ExtraCare Pharmacy & Health Rewards program, and to inform me of new programs I may be interested in.”
By Googooian’s reckoning, this language doesn’t make clear that customers’ information is moving from a part of the company covered by HIPAA to a part of the company lacking HIPAA protections.
Nor does it spell out the “specific uses” of the information, he said.
For example, what does it take to administer the program, and who does the administering?
It’s also questionable whether the waiver adequately informs people that their names and contact information may be shared with “outside companies as contractors or agents of CVS/pharmacy to help deliver promotional information and offers,” as permitted under the privacy policy of CVS’ ExtraCare program.
CVS says customers’ medical information is safe.
“We are committed to protecting the privacy of our customers, and we do not share any of their personal information, which remains protected under consumer privacy laws,” DeAngelis said.
That didn’t carry much weight for Googooian. Without HIPAA, he noted, customers only have CVS’ word that the company isn’t sharing their information with others.
“The only reason you would ask people to waive their rights is if you want to open the door to giving their drug information away,” he said. “Otherwise, there’s no reason.”
Lynda Gledhill, a spokeswoman for California Atty. Gen. Kamala D. Harris, declined to comment on the issue, saying only that “the attorney general’s office is very interested in privacy issues.”
David Lazarus’ column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5 and followed on Twitter @Davidlaz. Send your tips or feedback to david.lazarus@latimes.com.
