Is CVS rewards program complying with California law?

CVS Caremark's ExtraCare Pharmacy & Health Rewards program requires patients to waive their privacy rights under HIPAA and is unclear about how their medical information will be used.

CVS Caremark insists that it's just complying with federal law by informing customers that their medical information could be "redisclosed" if they sign up for the company's prescription-drug reward program.

Privacy experts, though, question whether CVS is complying with state law.

"California's privacy law is stricter than federal law," said Charles Googooian, a La Canada Flintridge lawyer who specializes in medical-privacy issues. "It doesn't seem like CVS is complying with either the spirit or the letter of state law."

CVS has been scrambling to defend its ExtraCare Pharmacy & Health Rewards program since I recently reported that customers are being required to give up important federal privacy safeguards in return for up to $50 a year in store credits.

CVS maintains that people must relinquish medical-privacy protections under the federal Health Insurance Portability and Accountability Act, or HIPAA, if they want their drug purchases to be applied to the rewards program.

This isn't a small thing being asked of consumers. HIPAA "gives you rights over your health information and sets rules and limits on who can look at and receive your health information," according to the U.S. Department of Health & Human Services.

Insurers, hospitals, doctors, dentists and pharmacies face civil and criminal penalties, including prison terms and fines of up to $1.5 million, for violating the federal law.

In response to my earlier column, CVS sent talking points to its store managers and pharmacists nationwide "to address any customer concerns" and to convey the message that "we do not 're-disclose' patients' personal information."

Patients might have been left with that impression because the enrollment process for the rewards program includes a warning that "my health information may potentially be re-disclosed and thus is no longer protected by the federal Privacy Rule."

Mike DeAngelis, a CVS spokesman, said HIPAA specifies that any privacy waiver must notify people of "the potential" for their information to be shared with others.

Googooian responded that this notice would apply only if a medical business foresees the possibility of such sharing.

"If they're not going to redisclose it, they're duty-bound to keep it private," he said. "That's the basic assumption of the law. You would not be required to include this language unless you wanted to open the door to disclosing people's information."

Walgreens and Rite-Aid have their own prescription-drug rewards programs. But neither company requires customers to forgo their HIPAA rights.

Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse in San Diego, said it's fair for consumers to ask what makes CVS' program so special that it needs a waiver.

"The company seems to be saying that your information is leaving CVS or may leave CVS in the future for marketing purposes," he said.

CVS' DeAngelis acknowledged that the pharmacy sends customers' information to an entity not covered under HIPAA. But he said that simply means the info is going to CVS' retail division, which oversees the ExtraCare program.

"A HIPAA authorization is required to permit ExtraCare to receive identifiable information in order to reward patients based on the number of prescriptions they fill," DeAngelis said.

Under Section 56.11 of the California civil code, any authorization for the release of medical information must specify "the name or functions of the persons or entities authorized to receive the medical information."

The privacy waiver also must state "the specific uses … of the medical information by the persons or entities authorized to receive the medical information."

CVS' waiver authorizes "CVS/pharmacy and its affiliates to share my prescription and other health service records, including my email address, with the ExtraCare program to enroll me in and administer the ExtraCare Pharmacy & Health Rewards program, and to inform me of new programs I may be interested in."

Featured Stories

CTnow is using Facebook comments on stories. To comment on articles, sign into Facebook and enter your comment in the field below. Comments will appear in your Facebook News Feed unless you choose otherwise. To report spam or abuse, click the X next to the comment. For guidelines on commenting, click here.


Kevin Hunt - The Electronic Jungle

Kevin Hunt: Belkin's WeMo Crock-Pot, the smart slow cooker - December 1, 2014 - I will not defend a Wi-Fi-connected can opener, doorbell or toaster, but I will defend almost everything about Belkin's Crock-Pot Smart...

Gail MarksJarvis

Few bargains to be found in foreign funds - March 27, 2015 - It seems so obvious.

David Lazarus

It's fun to be a billionaire -- just ask a billionaire - March 3, 2015 - Here's what went down on Tuesday's Consumer Confidential segment on KTLA-TV:

Korky Vann

NY, Boston, Philly Art Institutions Gear Up For Major Shows - March 26, 2015 - Spring doesn't just bring May flowers, it brings blockbuster shows at museums throughout the Northeast and this year is no exception....