HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Right to Privacy Being Waived for Pharmacy Discounts

The HIPAA right to privacy can be waived if patients agree to let healthcare providers, insurers, and other covered entities access and share their data.

A number of insurers have trialed issuing subscribers with wearable devices that monitor health metrics. In exchange for agreeing to wear the devices that track heart rate, exercise levels, and other vital signs, subscribers are provided with discounts on their premiums. In such cases there is a benefit to both patient and provider. Insurance companies are able to gain a better understanding of the health of subscribers and they can adjust policies and charges accordingly. Subscribers get to monitor their health and wellness more closely and they get a financial reward. Some pharmacies have also started operating similar schemes. Instead of giving discounts on insurance premiums they give discounts on their products and prescriptions, if customers download a Smartphone app and agree to share their data.

By offering discounts the pharmacies are able to secure more business. Just like reward cards, the scheme improves brand loyalty. The pharmacies are also able to send patients highly targeted marketing campaigns and show customers adverts on products and services. They also get to find out a lot of very sensitive information about their customers that they would normally not have access to.

Walgreens has now started offering customers this service, following the lead of CVS. Rite Aid is also getting in on the act. All will soon be collecting a considerable amount of data on customers: Data classed as Protected Health Information under HIPAA Rules. Patients have a right to privacy under HIPAA Rules, but if they sign a waiver to provide their data to pharmacies, they are allowing their data to be collected, stored, and even shared with third parties.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Discounts are provided on purchases, but the data supplied in exchange is far more valuable. Those data are highly sensitive and cover more than just the number of steps being taken each day. Blood pressure, blood glucose levels, exercise level, weight, age, name, location, and much more are being shared via the Smartphone apps. Patients may not be getting a particularly fair deal and could be placing their data at risk of being obtained by other individuals.

Benefits are received in exchange, but discounts on products, prescriptions and other benefits could come at a cost. The data collected may also not be as safe as patients believe. All of the aforementioned pharmacy chains have suffered numerous data breaches over the past few years.

Rite Aid has suffered five data breaches since 2011. One per year, according the OCR breach portal. CVS Health suffered a breach of 12,914 records in 2015. Fives breaches have been suffered in the past five years if its affiliates are also included (CVS Caremark and RXAmerica). Walgreen Co., has suffered 6 reportable data breaches. 7 if the 109,000-record data breach of affiliate Crescent Health Inc. is included. That is two breaches per year for 2013, 2014 and 2015.

These promotions and Smartphone apps are not exclusive to the healthcare industry, but consumers should be wary about giving away access to such sensitive information. They may not be getting such a good deal, and they could be placing their data at a higher risk of being exposed. Some privacy advocates consider such schemes to be particularly worrying.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.