Law enforcement agencies have gained access to the prescription records of thousands of Americans from major pharmacy chains without obtaining a warrant, according to a congressional inquiry. The investigation revealed that three of the largest pharmacy groups—CVS Health, Kroger, and Rite Aid—do not mandate legal reviews by staff members before releasing information requested by law enforcement. Conversely, Walgreens, Cigna, Optum Rx, Walmart, and Amazon reported that they require a legal review before complying with such requests.
The inquiry, initiated in June by Senator Ron Wyden of Oregon and Representatives Pramila Jayapal of Washington and Sara Jacobs of California, all Democrats, raised concerns about patient privacy and the varying policies among pharmacy chains. The letter detailing the findings was addressed to Xavier Becerra, the secretary of health and human services.
The lawmakers began their inquiry against the backdrop of the Supreme Court’s decision, a year ago, to end the constitutional right to an abortion. Since then, concerns about privacy regarding access to birth control and abortion medication have intensified. The congressional investigation found that pharmacies receive tens of thousands of legal requests annually for patients’ pharmacy records, with the majority submitted in connection with civil litigation.
CVS, Kroger, and Rite Aid, according to the inquiry, indicated that their pharmacy staff faces intense pressure to respond immediately to law enforcement demands, leading the companies to instruct their staff to process those requests in the store. The inquiry raised questions about the privacy protections for Americans’ prescription records and the wide variation depending on the pharmacy used.
Nearly 50 Democratic members of Congress wrote to Secretary Becerra in July, urging the Health and Human Services Department to expand regulations under the Health Insurance Portability and Accountability Act (HIPAA). The proposed expansion would require law enforcement agencies to obtain a warrant to access medical records and necessitate patient notification when records are requested.
The congressional letter emphasized the private and sensitive nature of prescription records, stating that they reveal extremely personal details about a person’s life. The lawmakers urged the Health and Human Services Department to strengthen HIPAA regulations to align them more closely with Americans’ expectations of privacy and constitutional principles.
In response, CVS maintained that its processes are consistent with HIPAA, and its pharmacy teams are trained to appropriately respond to lawful requests. The company suggested considering a warrant or judge-issued subpoena requirement and expressed a willingness to cooperate with Congress in strengthening patient privacy protections.
The Health and Human Services Department has already taken steps to enhance data protection for reproductive health under HIPAA. In April, its Office for Civil Rights proposed a rule preventing health care providers and insurers from disclosing information to state officials seeking to prosecute someone for seeking or providing a legal abortion.
While efforts to reinforce HIPAA by congressional Democrats aim to address privacy concerns, some experts argue that the law itself may not provide as much protection as commonly perceived. Michelle Mello, a professor of law and health policy at Stanford, noted that requiring a warrant instead of a subpoena may not necessarily eliminate privacy concerns. Additionally, patient notifications about record disclosures would likely occur only after the fact.
Professor Mello suggested that placing the onus on pharmacy employees to resist law enforcement demands adds complexity and may not be fair. She emphasized that HIPAA was not designed to enable health care providers to resist attempts to enforce laws affecting patients negatively.
the congressional inquiry sheds light on the varying policies of major pharmacy chains regarding the release of patient records to law enforcement, sparking discussions about the need for enhanced privacy protections under HIPAA.