If you get a prescription filled using insurance, that medication goes on a report. * Collects prescription drug purchase history for quantifying the relative mortality risk of life insurance applicants and provides risk scores for underwriting decisions.*
The Health Insurance Portability and Accountability Act, or HIPAA, regulates how health information is used and exchanged among “covered entities” such as hospitals and doctor’s offices. But the law gives pharmacies leeway as to what legal standard they require before disclosing medical records to law enforcement.
HIPAA was never a law about privacy of medical data. It's a law that governs the management of medical data, with very limited protections for privacy. I think most people misunderstand that law, its purpose, and its implications.
I work in this space, and your comment is completely wrong. Data covered by HIPAA is always covered by HIPAA. A covered entity would also include a health insurer, and all payment intermediaries, this is straight from the HHS faq (https://www.hhs.gov/hipaa/for-professionals/faq/covered-enti...)
I don't think you read the article or the links you provided. It clearly states the police are obtaining this information through subpoena and not warrants:
In briefings, officials with America’s eight biggest pharmacy giants — Walgreens Boots Alliance, CVS, Walmart, Rite Aid, Kroger, Cigna, Optum Rx and Amazon Pharmacy — told congressional investigators that they required only a subpoena, not a warrant, to share the records.
And in the link you provided:
When might it be permitted for a pharmacy to disclose PHI to law enforcement officers?
Bearing in mind that, once in a designated record set, PHI could be an individual´s name or physical description, a pharmacy (or pharmacy staff) is permitted to – but not required to – disclose PHI to law enforcement officers in the following six circumstances:
as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests
In this case, the leeway in the standard here is what the pharmacy chooses to comply with. They are choosing to comply with subpoenas. This article points out how that standard could be higher (warrants).
You keep dropping links for me to chase instead of just reading between the lines. Police cannot issue their own subpoenas. Police are not judicial officers. However, they are getting judicial officers to write their subpoenas. A judicial officer does not have to be a judge, therefore the standard is lower than a warrant.
HIPAA law and implementing regs include broad allowances for disclosure to law enforcement, some of which involve some degree of subjective judgement on the part of the covered entity (and most of which do not require a warrant), but, no, it does not allow pharmacies (or any other covered entities) "leeway as to what legal standard they require" (emphasis added) before such disclosure.
Unfortunately for that idea, the law enforcement disclosures allowed under HIPAA are not limited to disclosures related to violations of federal law, or disclosures only to federal law enforcement.
I'm in Canada so HIPAA doesn't apply for me but when I was going into my second year of university the student union signed a contract with a health insurance company that provided some piddly policy for students that was mandatory unless you could provide proof of insurance with another company.
Not only was there no way to refuse this but you were automatically enrolled unless you could provide that proof by a certain date.
I got into an argument with the student president about this because I considered it a massive overreach for the school to give my information to the student union who then turns around and gives it to a third party, and that this is just some how a part of completing post secondary education. He was adamant that it was both legal and ethical, and that there was no privacy violation that occurred.
I ended up opting out in time but a few months later I received an email from the insurance company stating that they had been hacked and they weren't quite sure what information had been leaked.
I've never found out what information was transmitted from the student union to the health insurance company, if the company managed to get access to my health records, or if that company has sold those records, or been acquired by a large company that has added those records to their collection, or what the hackers manged to steal.
I guess this is all legal because some student union that gets less than 9% of the student body to vote for them said so?
Depends on province, you might be covered under a provincial regulation. PIPEDA takes effect if your province doesn't have a substantially similar law. PIPEDA came into effect in 2000.
> He was adamant that it was both legal and ethical, and that there was no privacy violation that occurred.
I could understand about it being legal, maybe even ethical (ethical codes can differ) -- but to argue that there is no privacy violation? That just seems completely delusional.
> I've never found out what information was transmitted from the student union to the health insurance company, if the company managed to get access to my health records
The insureco initially would only get your basic demographics (name, gender, age, DOB, phone# & maybe address). The student union doesn't have anything else to give.
In terms of health info, the insureco would only have what you gave them (indirectly via the pharmacy if you presented a prescription for billing to your health plan).
So other than the basic demographics, even if you're forced into the plan, any further info the insureco gets is voluntarily provided by you (but I get that it's a kick in the teeth to pay for insurance, but not use it).
> I ended up opting out in time
were you already with another insurance company provided by someone's employer? Mine keeps changing providers every few years and I can't opt-out other than resign.
When you buy health insurance, you sign a temporary HIPAA release (limited duration) to cover the period that they are underwriting. They can only query your specific pharmacy records for the purposes of underwriting. So yes, this is a HIPAA violation when it is being used by the police. I work in this space with HIPAA data.
> Required by Law. Covered entities may use and disclose protected health information without individual authorization as required by law (including by statute, regulation, or court orders).29
> Judicial and Administrative Proceedings. Covered entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided.33
> Law Enforcement Purposes. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official's request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person's death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.34
> Essential Government Functions. An authorization is not required to use or disclose protected health information for certain essential government functions. Such functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in certain government benefit programs.41
Of particular note are the exemptions in 45 CFR 164.512(k)(2) applicable to powers granted by executive order 12333 (on mass surveillance). When this exemption is used it makes discovering whether, when, how, or why your data was collected or used practically impossible.
This is actually a pretty good use of the data if its done by a university for a study or the NIH in a nonprofit capacity. Using prescription data on insurance to see outcomes at a societial level for prescriptions since it's all in one place.
Of course life insurance companies will instead use the data to decide someone's premiums or whether to give them life insurance at all if a prescription shows up on that persons history when they try to sign up.
Does HIPPA apply if its a large study and each is anonymonized? I'm assuming insurance companies already use the data so the 20 page EULA already has consent.
Don't know. I'm not talking about legalities, I'm talking about ethics. I'm talking about getting actual consent, not the fake "consent" that tends to get snuck into contracts.
It's funny we are talking about this since yesterday i went to a new doctor and they used my prescription history that they already have access to im guessing in the same software they used to prescribe to ask me about the medications i am taking instead of taking my word for it on the form i filled out.
This sort of thing underscores how impossible it is to stay safe in our society. If you can't even get medical care without your data being mined for all it's worth, what can you do?
We can start by not voting for the usual suspects because the usual suspects mean the usual routine. Telling ourselves that "these usual suspects" are slightly better than "those usual suspects" is a poor trade. It garantees the usual routine.
There is more of course, such as insisting on the more private path when there is an option. Because often there is an option. Just not always.
Also this one is actually very easy to answer:
> Though some of the chains require their lawyers to review law enforcement requests, three of the largest — CVS Health, Kroger and Rite Aid, with a combined 60,000 locations nationwide — said they allow pharmacy staff members to hand over customers’ medical records in the store.
So there you go: CVS, Kroger, Rite Aid are clearly sending us to their competitors. In most places, it's easy to shift prescriptions to a competitor.
> So there you go: CVS, Kroger, Rite Aid are clearly sending us to their competitors. In most places, it's easy to shift prescriptions to a competitor.
Where I am, every pharmacy is one of those three. There are no competitors to shift to.
Well, then YOU are stuck (although Amazon mail order might help you). The rest of us will avoid these 3. That's fine.
It's about adding pressure - since no matter what no pharmacy will be completely immune to a cop "leaning over the counter". And pharmacies are only a small part of the problem.
Doesn't surprise me a bit. Deal with anything sensitive and companies are very prone to cooperating with the police rather than have them cause trouble when they don't get what they want right now.
As a former CEO of a pharma startup I can tell you that you can buy this information as well. Really useful for market research, but shit for patient privacy.
Anyone remembers the video rental privacy law? In the US we basically for some reason must have a specific law about each specific modality. For those who don't remember, it was explicitely illegal for video stores to disclose rental records (still is). And of course, you guessed it, this law happened because a politician had their rental records disclosed (a judge in this case) https://en.wikipedia.org/wiki/Video_Privacy_Protection_Act
Apparently some digital video lawyers are trying to use it there.
And I don't know how well it blocked disclosures when cops asked.
Librarians at (good) public libraries are used to refusing disclosure.
46 comments
[ 3.0 ms ] story [ 114 ms ] threadhttps://www.consumerfinance.gov/consumer-tools/credit-report...
Even if you don’t use insurance, it may still be possible to wind up on this list.
The Health Insurance Portability and Accountability Act, or HIPAA, regulates how health information is used and exchanged among “covered entities” such as hospitals and doctor’s offices. But the law gives pharmacies leeway as to what legal standard they require before disclosing medical records to law enforcement.
I'm not seeing anything that explicitly calls out Pharmacies.
The police are breaking federal law and the article is wrong. This is not a gray area.
In briefings, officials with America’s eight biggest pharmacy giants — Walgreens Boots Alliance, CVS, Walmart, Rite Aid, Kroger, Cigna, Optum Rx and Amazon Pharmacy — told congressional investigators that they required only a subpoena, not a warrant, to share the records.
And in the link you provided:
When might it be permitted for a pharmacy to disclose PHI to law enforcement officers?
Bearing in mind that, once in a designated record set, PHI could be an individual´s name or physical description, a pharmacy (or pharmacy staff) is permitted to – but not required to – disclose PHI to law enforcement officers in the following six circumstances:
as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests
In this case, the leeway in the standard here is what the pharmacy chooses to comply with. They are choosing to comply with subpoenas. This article points out how that standard could be higher (warrants).
I really don't want to keep googling things for you. The police are not judicial officers. Yes, I've read the article.
See, generally, https://www.hhs.gov/hipaa/for-professionals/faq/505/what-doe... and the regulations cited therein.
Not only was there no way to refuse this but you were automatically enrolled unless you could provide that proof by a certain date.
I got into an argument with the student president about this because I considered it a massive overreach for the school to give my information to the student union who then turns around and gives it to a third party, and that this is just some how a part of completing post secondary education. He was adamant that it was both legal and ethical, and that there was no privacy violation that occurred.
I ended up opting out in time but a few months later I received an email from the insurance company stating that they had been hacked and they weren't quite sure what information had been leaked.
I've never found out what information was transmitted from the student union to the health insurance company, if the company managed to get access to my health records, or if that company has sold those records, or been acquired by a large company that has added those records to their collection, or what the hackers manged to steal.
I guess this is all legal because some student union that gets less than 9% of the student body to vote for them said so?
But PIPEDA definitely applies to this situation, but PIPEDA only came into effect on April 2020 so it would depend upon when you were a student.
I could understand about it being legal, maybe even ethical (ethical codes can differ) -- but to argue that there is no privacy violation? That just seems completely delusional.
The insureco initially would only get your basic demographics (name, gender, age, DOB, phone# & maybe address). The student union doesn't have anything else to give.
In terms of health info, the insureco would only have what you gave them (indirectly via the pharmacy if you presented a prescription for billing to your health plan).
So other than the basic demographics, even if you're forced into the plan, any further info the insureco gets is voluntarily provided by you (but I get that it's a kick in the teeth to pay for insurance, but not use it).
> I ended up opting out in time
were you already with another insurance company provided by someone's employer? Mine keeps changing providers every few years and I can't opt-out other than resign.
It is not, because HIPAA includes an "official/governmental purposes" exemption. See exemption (5)
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-reg...
> Required by Law. Covered entities may use and disclose protected health information without individual authorization as required by law (including by statute, regulation, or court orders).29
> Judicial and Administrative Proceedings. Covered entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is through an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided.33
> Law Enforcement Purposes. Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, and subject to specified conditions: (1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; (2) to identify or locate a suspect, fugitive, material witness, or missing person; (3) in response to a law enforcement official's request for information about a victim or suspected victim of a crime; (4) to alert law enforcement of a person's death, if the covered entity suspects that criminal activity caused the death; (5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and (6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.34
> Essential Government Functions. An authorization is not required to use or disclose protected health information for certain essential government functions. Such functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in certain government benefit programs.41
https://www.law.cornell.edu/cfr/text/45/164.512
And then there's the HHS interpretation of the above for providers, which is... porous:
https://www.hhs.gov/hipaa/for-professionals/faq/505/what-doe...
Of particular note are the exemptions in 45 CFR 164.512(k)(2) applicable to powers granted by executive order 12333 (on mass surveillance). When this exemption is used it makes discovering whether, when, how, or why your data was collected or used practically impossible.
Of course life insurance companies will instead use the data to decide someone's premiums or whether to give them life insurance at all if a prescription shows up on that persons history when they try to sign up.
As long as everyone who's data is used has consented to it, then yes.
So utterly depressing.
There is more of course, such as insisting on the more private path when there is an option. Because often there is an option. Just not always.
Also this one is actually very easy to answer:
> Though some of the chains require their lawyers to review law enforcement requests, three of the largest — CVS Health, Kroger and Rite Aid, with a combined 60,000 locations nationwide — said they allow pharmacy staff members to hand over customers’ medical records in the store.
So there you go: CVS, Kroger, Rite Aid are clearly sending us to their competitors. In most places, it's easy to shift prescriptions to a competitor.
Where I am, every pharmacy is one of those three. There are no competitors to shift to.
It's about adding pressure - since no matter what no pharmacy will be completely immune to a cop "leaning over the counter". And pharmacies are only a small part of the problem.
Is it anonymised or “anonymised”? (Put another way, are there zip codes?)
[1] https://www.collinsdictionary.com/dictionary/english/anonymi...
It hasn't been anonymized to beyond a degree of k-anonymity since at least 2018. With extra datasets like Plaid, or financials; all bets are off.
Apparently some digital video lawyers are trying to use it there.
And I don't know how well it blocked disclosures when cops asked.
Librarians at (good) public libraries are used to refusing disclosure.
But no, not pharmacies.