HIPAA Right to Privacy Being Waived for Pharmacy Discounts

Share this article on:

The HIPAA right to privacy can be waived if patients agree to let healthcare providers, insurers, and other covered entities access and share their data.

A number of insurers have trialed issuing subscribers with wearable devices that monitor health metrics. In exchange for agreeing to wear the devices that track heart rate, exercise levels, and other vital signs, subscribers are provided with discounts on their premiums. In such cases there is a benefit to both patient and provider. Insurance companies are able to gain a better understanding of the health of subscribers and they can adjust policies and charges accordingly. Subscribers get to monitor their health and wellness more closely and they get a financial reward. Some pharmacies have also started operating similar schemes. Instead of giving discounts on insurance premiums they give discounts on their products and prescriptions, if customers download a Smartphone app and agree to share their data.

By offering discounts the pharmacies are able to secure more business. Just like reward cards, the scheme improves brand loyalty. The pharmacies are also able to send patients highly targeted marketing campaigns and show customers adverts on products and services. They also get to find out a lot of very sensitive information about their customers that they would normally not have access to.

Walgreens has now started offering customers this service, following the lead of CVS. Rite Aid is also getting in on the act. All will soon be collecting a considerable amount of data on customers: Data classed as Protected Health Information under HIPAA Rules. Patients have a right to privacy under HIPAA Rules, but if they sign a waiver to provide their data to pharmacies, they are allowing their data to be collected, stored, and even shared with third parties.

Discounts are provided on purchases, but the data supplied in exchange is far more valuable. Those data are highly sensitive and cover more than just the number of steps being taken each day. Blood pressure, blood glucose levels, exercise level, weight, age, name, location, and much more are being shared via the Smartphone apps. Patients may not be getting a particularly fair deal and could be placing their data at risk of being obtained by other individuals.

Benefits are received in exchange, but discounts on products, prescriptions and other benefits could come at a cost. The data collected may also not be as safe as patients believe. All of the aforementioned pharmacy chains have suffered numerous data breaches over the past few years.

Rite Aid has suffered five data breaches since 2011. One per year, according the OCR breach portal. CVS Health suffered a breach of 12,914 records in 2015. Fives breaches have been suffered in the past five years if its affiliates are also included (CVS Caremark and RXAmerica). Walgreen Co., has suffered 6 reportable data breaches. 7 if the 109,000-record data breach of affiliate Crescent Health Inc. is included. That is two breaches per year for 2013, 2014 and 2015.

These promotions and Smartphone apps are not exclusive to the healthcare industry, but consumers should be wary about giving away access to such sensitive information. They may not be getting such a good deal, and they could be placing their data at a higher risk of being exposed. Some privacy advocates consider such schemes to be particularly worrying.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On