Americans are used to signing HIPAA forms at the doctor’s office. Medical facilities and clinics fight to protect valuable and personal patient data, but there is one weak link in the privacy chain. It turns out that pharmacies can turn over private patient information to law enforcement agencies without a warrant.
HIPAA, the Health Insurance Portability and Accountability Act, is a U.S. federal law enacted in 1996. It protects individuals’ health information privacy and ensures the secure transfer of this information when necessary. HIPAA establishes standards for protecting confidential patient data by healthcare providers, health plans, and other entities managing health information. The law also grants patients certain rights regarding their medical records and restricts unauthorized disclosures of personal health information.
According to HIPAA, medical information is private and cannot be obtained unless certain criteria are met. Law enforcement can access hospital records without a warrant in cases where the information is related to criminal activity, especially if the patient is a victim.
A subpoena, often issued by a court, attorney, grand jury, or select government agencies, is a request to acquire evidence for an investigation. It can be directed at entities not directly involved in the case but possessing pertinent information, such as banks or hospitals.
In contrast, a warrant, sanctioned by a judge or magistrate, empowers law enforcement to conduct property searches, wiretaps, and arrests.
Pharmacies can provide medical records solely in response to a subpoena, even though these records are highly private and reveal personal medical details. Current HHS regulations place the responsibility on Americans to request disclosure data for medical records, leaving patients uninformed about the possibility that law enforcement could demand access to them.
In June 2023, congressional Democrats began investigating privacy requirements for big pharmacies like CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart, Kroger Company, Rite Aid, and Amazon Pharmacy.
The investigation revealed that five pharmacies require a legal review of law enforcement requests before releasing records. Three pharmacies, CVS Health, The Kroger Company, and Rite Aid, immediately turn records over without legal review. These pharmacies face “pressure to immediately comply” with law enforcement requests, frequently turning the information over in the store.
All investigated pharmacies turned the records over without a warrant, and most don’t notify patients when they do.
Earlier this week, members of Congress wrote a letter to DHS stating their findings and demanding the organization tighten HIPAA laws to cover pharmacy records. In the letter, Senator Ron Wyden (D-OR) and Representatives Pramila Jayapal (D-WA) and Sara Jacobs (D-CA) wrote that “through briefings with the major pharmacies, we learned that each year law enforcement agencies secretly obtain the prescription records of thousands of Americans without a warrant.”
There was no particular incident that triggered the investigation, but Americans are growing concerned about the government’s right to obtain medical records without a warrant since the Supreme Court’s decision to overturn Roe v. Wade. This decision handed the authority to regulate abortions back to individual states, resulting in heightened restrictions across many states.
In 14 states with complete abortion bans, medication abortions using a two-drug regimen are prohibited. Despite this, medication abortions constituted over half of all U.S. abortions in 2020.
Senate Democrats launched the probe over concerns that law enforcement will use pharmaceutical records to verify if a woman has been given abortion medications like mifepristone.
The letter outlines other concerns, including revealing patients’ use of medications to treat anxiety and depression and birth control.
During the investigation, Amazon stated it complied with law enforcement and court-ordered pharmaceutical requests as required by law. Walgreens affirmed that its policy is the same, and both pharmacies inform customers before disclosing health information to law enforcement unless legally prohibited.
CVS stated that its procedures align with HIPAA but suggested that DHS consider adding warrant or judge-issued subpoena requirements before allowing the release of protected information.
When the Biden administration implemented vaccine mandates during the pandemic, it allowed employers to violate HIPAA law by demanding vaccination records and, if an employee was claiming a medical waiver, medical records. But equally alarming is the revelation that governmental agencies could have been monitoring pharmaceutical records for prescriptions of “unapproved” COVID treatments, like Ivermectin and hydroxychloroquine.
The Democrats who initiated this inquiry aim to safeguard “abortion access,” but the revelations are disturbing. Pharmacies are divulging patient information to government agencies without warrants, subpoenas, and possibly even without cause. For once, Democrats have done something beneficial for America – revealing the loophole that potentially allows governmental agencies a different path to spy on Americans.