Why Does CVS Need A HIPAA Waiver To Count How Many Prescriptions You Fill?

If you don’t mind trading your shopping history and personal data for free stuff or discounts, loyalty card programs offer some great benefits if you were going to be loyal to a business in the first place. The question is, how much of your privacy are you willing to give up for some discounts?

That’s what the LA Times wonders about customer rewards for filling prescriptions at CVS. The thing is, CVS requires customers who want to add rewards for prescriptions to their ExtraCare loyalty cards can do so if they live in a state where that kind of thing is allowed, and if their health insurer allows it. Great. CVS requires customers to sign a waiver of their rights under the federal Health Insurance Portability and Accountability Act (HIPAA.) A company representative explains that they only need customers to sign off on this for only one reason: so that the rewards program can count how many prescriptions you’ve had filled. Not any other data: just the number of bottles you take home.

That’s okay, but that isn’t what the relevant part of the program enrollment says. Even if the number of prescriptions is all that CVS needs, the actual wording is this:

…my health information may potentially be re-disclosed and thus is no longer protected by the federal Privacy Rule.

They mean HIPAA, by the way, which isn’t explained or spelled out anywhere on the enrollment forms.

What’s confusing about the policy at CVS is that the chain’s direct competitors, Rite Aid and Walgreens/Duane Reade, have similar programs that award points to customers for filling prescriptions. They do not, however, require customers to waive their HIPAA rights to do so.

When the Times’ David Lazarus asked a CVS representative about that, he sort of implied that the other chains aren’t really counting the real number of prescriptions that their customers fill. Which makes no sense.

If you fill 50 prescriptions per year at CVS, you can earn a maximum of $50 through this program. It’s up to you whether that’s worth giving up the rights to your prescription info, which can reveal important and potentially damaging things in the wrong hands

CVS thinks $50 is enough reward for giving up healthcare privacy [LA Times]