Governance & Risk Management , Healthcare , HIPAA/HITECH
Lawmakers Urge HHS to Shield Pharmacy Records From Police
Regulators Advised to Protect Patients From 'Warrantless' Requests on PrescriptionsThree members of Congress are urging the Department of Health and Human Services to improve HIPAA privacy protections around pharmacy information. The request comes after the lawmakers asked major pharmacy companies how they handle law enforcement requests for patient records.
See Also: Using the Netskope HIPAA Mapping Guide
The three lawmakers - Sen. Ron Wyden, D-Ore., who is Senate Finance Committee chair; Rep. Pramila Jayapal, D-Wash.; and Rep. Sara Jacobs, D-Calif. - in their letter Tuesday to HHS Secretary Xavier Becerra pressed HHS to revise its HIPAA privacy rule regulations to better protect patients' pharmacy data from "warrantless law enforcement agency demands."
"Americans' prescription records are among the most private information the government can obtain about a person," the lawmakers wrote. "They can reveal extremely personal and sensitive details about a person's life, including prescriptions for birth control, depression or anxiety medications, or other private medical conditions," the letter says.
HHS should address "shortcomings" the lawmakers identified in a recent survey of the privacy practices of several major pharmacy companies by revising the HIPAA standard for the legal process or records disclosure as it finalizes proposed updates to HIPAA regulations, the letter says.
Proposed Rule Changes
In April, the HHS Office for Civil Rights issued a notice of proposed rule-making for updates to the HIPAA privacy rule to help better protect reproductive health data (see: HHS Wants HIPAA Changes to Protect Reproductive Health Info).
The Biden administration's proposed modifications to the HIPAA Privacy Rule would prohibit the use or disclosure of protected health information to investigate or prosecute patients, providers and others involved in the delivery of lawful reproductive healthcare, including abortions.
HHS OCR in 2022, shortly after the Supreme Court's repeal of Roe v. Wade, also issued HIPAA Privacy Rule guidance pertaining to disclosures of patient information for law enforcement purposes.
"In its April notice of proposed rule-making regarding reproductive healthcare privacy, HHS has already proposed to revise the Privacy Rule to only permit a covered entity to disclose protected health information to a law enforcement official in response to an 'administrative request' if a response is required by law," said privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"The proposed rule blocks disclosures of reproductive healthcare information from disclosure to law enforcement, even if there is a warrant or court order," he added. "But I don't think that HHS will go as far as the three legislators urge - prohibiting disclosure of any protected health information to law enforcement absent a warrant or court order."
"Even if HHS was inclined to do so, I imagine that Department of Justice would have strong views on such a proposed change during the interdepartmental clearance process," Greene said.
Pharmacy Disclosure Practices
The lawmakers in their letter to HHS said that through recent briefings and inquires, they asked eight major companies - Amazon Pharmacy, Cigna, CVS Health, Optum Rx, The Kroger Co., Rite Aid, Walgreens Boots Alliance and Walmart - about how their pharmacies handle law enforcement requests for prescription records and other health records.
The legislators found that none of the major pharmacies require a warrant to share prescription records with law enforcement agencies unless there is a state law that requires one.
Five of the companies - Amazon, Cigna, Optum Rx, Walmart and Walgreens - told the lawmakers that they require law enforcement demands for pharmacy records to be reviewed by legal professionals prior to responding to those requests.
Three firms - CVS Health, Kroger and Rite Aid - told the lawmakers they allow their pharmacy store staff to handle law enforcement requests for prescription records without a review by their companies' legal departments.
Only one of the companies - Amazon - said it notifies the patient about record disclosures to law enforcement.
Three of the companies - CVS, Kroger and Walgreens - committed to publishing annual "transparency reports" of law enforcement requests for records.
Amazon in a statement to Information Security Media Group said, "Were committed to protecting our customers' privacy - not only because it's required by law, but because it's the right thing to do."
When required by law, Amazon said, it cooperates with law enforcement officials and complies with court orders. "Amazon Pharmacy notifies a customer prior to disclosing health information to law enforcement as long as there is no legal prohibition to doing so. Requests from law enforcement are rare, and represent a very small percentage of the prescriptions we fill for customers."
The other seven pharmacy companies did not immediately respond to ISMG's requests for comment.
"Americans deserve to have their private medical information protected at the pharmacy counter and a full picture of pharmacies' privacy practices, so they can make informed choices about where to get their prescriptions filled," the lawmakers wrote in their letter to HHS.
HHS did not immediately respond to ISMG's request for comment on the letter to Becerra and the status of HHS OCR's proposed plans to update the HIPAA Privacy Rule.
"I believe that HHS received approximately 26,000 comments in response to their proposed rule on reproductive healthcare information," Greene said.
"I expect that it is taking HHS some time to go through those comments. I do expect them to prioritize finalizing the rule in 2024, especially before there is a risk of a change of administration."