By Googooian's reckoning, this language doesn't make clear that customers' information is moving from a part of the company covered by HIPAA to a part of the company lacking HIPAA protections.
Nor does it spell out the "specific uses" of the information, he said.
For example, what does it take to administer the program, and who does the administering?
CVS says customers' medical information is safe.
"We are committed to protecting the privacy of our customers, and we do not share any of their personal information, which remains protected under consumer privacy laws," DeAngelis said.
That didn't carry much weight for Googooian. Without HIPAA, he noted, customers only have CVS' word that the company isn't sharing their information with others.
"The only reason you would ask people to waive their rights is if you want to open the door to giving their drug information away," he said. "Otherwise, there's no reason."
Lynda Gledhill, a spokeswoman for California Atty. Gen. Kamala D. Harris, declined to comment on the issue, saying only that "the attorney general's office is very interested in privacy issues."
David Lazarus' column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5 and followed on Twitter @Davidlaz. Send your tips or feedback to firstname.lastname@example.org.