Most major U.S. pharmacy chains regularly disclose customers’ medical information to law enforcement agencies without a warrant, according to a Congressional investigation announced Tuesday and reported in the Washington Post.
In a letter to the Department of Health and Human Services (HHS), Sen. Ron Wyden and Reps. Pramila Jayapal and Sara Jacobs detailed the results of their inquiry into the issue. As part of the investigation, “officials with America’s eight biggest pharmacy giants — Walgreens Boots Alliance, CVS, Walmart, Rite Aid, Kroger, Cigna, Optum Rx and Amazon Pharmacy — told congressional investigators that they required only a subpoena, not a warrant, to share the records.” Pharmacies have unique flexibility under the Under the Health Insurance and Accountability Act (HIPAA) to interpret the legal standard required before disclosing customer medical records to law enforcement. Subpoenas require a less stringent showing than warrants and can be issued by a government agency without the oversight or approval of a judge.
“Although pharmacies are legally permitted to tell their customers about government demands for their data, most don’t,” the letter explains. “As a result, many Americans’ prescription records have few meaningful privacy protections, and those protections vary widely depending on which pharmacy they use.”
In recent comments to HHS, EPIC argued that the HIPAA Privacy Rule should establish a warrant requirement for law enforcement to access protected health information. In this context, law enforcement would have to get a warrant supported by probable cause before seeking a customer’s medical records from a pharmacy.
The ease with which law enforcement can currently obtain pharmacy data is especially concerning as many states continue to criminalize abortion and medication related to reproductive health. According to the Washington Post, nearly 1 in 3 women in the U.S. between the ages of 15 and 44 live in states where abortion is fully or mostly banned. Customers have an expectation of that their reproductive health information at their local pharmacy will remain private. As EPIC detailed in its comments to HHS, amending the HIPAA Privacy Rule to include a warrant requirement “would help normalize privacy protections nationwide and provide clarity to covered entities’ legal departments.”
EPIC regularly advocates for stronger privacy protections for personal health information, including reproductive health information, both under HIPAA and in contexts that fall outside of HIPAA. Recently, EPIC submitted comments to the U.S. Senate Committee on Health, Education, Labor, and Pensions urging the Committee to address the “unique and serious privacy and security risks” posed by the commercial processing of personal health data.