The drugstore chain is expanding its ExtraCare rewards program for prescription drugs, but to join consumers must give up healthcare privacy protections under HIPAA.
5:54 PM PDT, August 15, 2013
Since February, CVS Caremark has been pushing its pharmacists to enroll customers in a prescription-drug rewards program.
The benefit to customers is the opportunity to earn up to $50 a year in store credits that can be used to buy shampoo, toothpaste or other products.
The benefit to CVS is persuading pharmacy customers, through questionable means, to give up federal privacy safeguards for their medical information and permitting the company to share people’s drug purchases with others.
“It’s very troubling,” said Paul Stephens, director of policy and advocacy for the Privacy Rights Clearinghouse in San Diego.
“Your medical information is very sensitive,” he said. “Pharmaceutical companies obviously would want to know what you’re taking and get you to buy more expensive medicines.”
Walgreens and Rite-Aid have their own rewards programs for prescription drugs. But officials at each company said they don’t require customers to relinquish federal privacy protections.
CVS announced Feb. 4 that it was expanding its ExtraCare rewards program to include prescription drug purchases. The new program, ExtraCare Pharmacy & Health Rewards, allows customers to earn $5 worth of store credits for every 10 prescriptions filled, up to $50 a year.
“Pharmacy is the heart of our business, and we know how important it is to help our customers manage multiple prescriptions and adhere to their medication therapy,” said Rob Price, senior vice president and chief marketing officer for CVS’ drugstore operations.
“This new program expands the ExtraCare rewards customers love, encouraging our customers to more proactively manage their overall health.”
Clearly, however, there’s more to the program than that.
The fine print on CVS’ website says that “each person must sign a HIPAA Authorization to join” and that “you must re-sign the HIPAA Authorization once per year to retain active enrollment.”
Among the site’s frequently asked questions for the program is, “Why do I need to sign a HIPAA Authorization?”
The answer: “The HIPAA Authorization allows CVS/pharmacy to record the prescription earnings of each person who joins the ExtraCare Pharmacy & Health Rewards program.”
Nowhere does CVS clarify what HIPAA is. It’s a serious omission.
HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. It’s a privacy law that, according to the U.S. Department of Health & Human Services, “gives you rights over your health information and sets rules and limits on who can look at and receive your health information.”
Basically, HIPAA requires insurers, hospitals, doctors, dentists and pharmacies to keep your medical information under wraps. Breaking the law can result in civil and criminal penalties, including prison terms and fines of up to $1.5 million for each violation.
What CVS calls a “HIPAA Authorization,” therefore, is not to be taken lightly. Nor is it simply a matter of allowing the company “to record the prescription earnings” of ExtraCare members, as CVS indicates during the final stage of the enrollment process.
That last step is where you encounter a screen saying you acknowledge that “my health information may potentially be re-disclosed and thus is no longer protected by the federal Privacy Rule.”
CVS takes the liberty of assuming you know that HIPAA and the “federal Privacy Rule” are one and the same, although it has nowhere made the connection clear.
The company also assumes you are aware of what it means to no longer be protected by HIPAA, although, again, it hasn’t spelled out the implications of giving up your HIPAA rights.
Nor has CVS disclosed with whom your previously confidential medical information may be shared and for what purposes.
HIPAA prevents drugstores from sharing customers’ confidential medical information with insurers, pharmaceutical companies, marketers and anyone else with an interest in what medicines people are taking, said Andrew Hicks at Coalfire Systems, a consulting firm that helps clients comply with HIPAA regulations.
“Without HIPAA, they could be shipping data to who knows where,” he said. “As a consumer, you’d have no idea where your information is.”
Mike DeAngelis, a CVS spokesman, said the ExtraCare Pharmacy & Health Rewards program “gives members more ways to earn rewards for actions they take to stay healthy, such as filling prescriptions and getting a flu shot.”
“We have extensive procedures, stringent policies and state-of-the-art technology in place to protect our customers’ personal and health information,” he said. “We do not sell, rent or give personal information to any non-affiliated third parties.”
By signing the HIPAA release, DeAngelis said, “customers are authorizing ExtraCare only to count the number of prescriptions they are filling as an individual,” which allows CVS to determine how much in store credits to allot.
He declined to answer when I asked if CVS believes it is adequately disclosing what HIPAA is or what the potential ramifications could be for those who forgo their privacy rights.
DeAngelis also declined to say what CVS means by stating that customers’ health information “may potentially be re-disclosed.”
Nor would he comment on an internal memo shared with me by a CVS pharmacist showing that the company sets weekly targets for enrolling customers in its pharmacy rewards program.
One other thing DeAngelis declined to address: Why CVS requires customers to sign a HIPAA release when rivals Walgreens and Rite-Aid do not for their own rewards programs.
All he’d say was that he doesn’t believe Walgreens and Rite-Aid “are rewarding customers based on the number of prescriptions filled.”
Rite-Aid’s wellness+ card offers points every time a prescription is refilled. Points can be redeemed for, among other things, restaurant gift certificates, magazine subscriptions and gym memberships.
“We do not require customers enrolling in wellness+ to waive their HIPAA privacy rights because we do not disclose or share patients’ medical information enrolled in this program,” said Ashley Flower, a Rite-Aid spokeswoman.
Walgreens’ Balance Rewards program also offers points for prescription refills. Points can be redeemed for cash discounts on store purchases.
Rite-Aid and Walgreens have found ways to reward drug customers without violating their HIPAA protections.
What is it about CVS’ program that necessitates customers abandoning their federal privacy rights? CVS isn’t saying.
But $50 worth of store credits is hardly fair compensation for such a marketing prize.