If you get a prescription filled using insurance, that medication goes on a report. * Collects prescription drug purchase history for quantifying the relative mortality risk of life insurance applicants and provides risk scores for underwriting decisions.*
When you buy health insurance, you sign a temporary HIPAA release (limited duration) to cover the period that they are underwriting. They can only query your specific pharmacy records for the purposes of underwriting. So yes, this is a HIPAA violation when it is being used by the police. I work in this space with HIPAA data.
The Health Insurance Portability and Accountability Act, or HIPAA, regulates how health information is used and exchanged among “covered entities” such as hospitals and doctor’s offices. But the law gives pharmacies leeway as to what legal standard they require before disclosing medical records to law enforcement.
Of particular note are the exemptions in 45 CFR 164.512(k)(2) applicable to powers granted by executive order 12333 (on mass surveillance). When this exemption is used it makes discovering whether, when, how, or why your data was collected or used practically impossible.
I'm in Canada so HIPAA doesn't apply for me but when I was going into my second year of university the student union signed a contract with a health insurance company that provided some piddly policy for students that was mandatory unless you could provide proof of insurance with another company.
Not only was there no way to refuse this but you were automatically enrolled unless you could provide that proof by a certain date.
I got into an argument with the student president about this because I considered it a massive overreach for the school to give my information to the student union who then turns around and gives it to a third party, and that this is just some how a part of completing post secondary education. He was adamant that it was both legal and ethical, and that there was no privacy violation that occurred.
I ended up opting out in time but a few months later I received an email from the insurance company stating that they had been hacked and they weren't quite sure what information had been leaked.
I've never found out what information was transmitted from the student union to the health insurance company, if the company managed to get access to my health records, or if that company has sold those records, or been acquired by a large company that has added those records to their collection, or what the hackers manged to steal.
I guess this is all legal because some student union that gets less than 9% of the student body to vote for them said so?
This is actually a pretty good use of the data if its done by a university for a study or the NIH in a nonprofit capacity. Using prescription data on insurance to see outcomes at a societial level for prescriptions since it's all in one place.
Of course life insurance companies will instead use the data to decide someone's premiums or whether to give them life insurance at all if a prescription shows up on that persons history when they try to sign up.
As a former CEO of a pharma startup I can tell you that you can buy this information as well. Really useful for market research, but shit for patient privacy.
Anyone remembers the video rental privacy law? In the US we basically for some reason must have a specific law about each specific modality. For those who don't remember, it was explicitely illegal for video stores to disclose rental records (still is). And of course, you guessed it, this law happened because a politician had their rental records disclosed (a judge in this case) https://en.wikipedia.org/wiki/Video_Privacy_Protection_Act
Apparently some digital video lawyers are trying to use it there.
And I don't know how well it blocked disclosures when cops asked.
Librarians at (good) public libraries are used to refusing disclosure.
This sort of thing underscores how impossible it is to stay safe in our society. If you can't even get medical care without your data being mined for all it's worth, what can you do?
We can start by not voting for the usual suspects because the usual suspects mean the usual routine. Telling ourselves that "these usual suspects" are slightly better than "those usual suspects" is a poor trade. It garantees the usual routine.
There is more of course, such as insisting on the more private path when there is an option. Because often there is an option. Just not always.
Also this one is actually very easy to answer:
> Though some of the chains require their lawyers to review law enforcement requests, three of the largest — CVS Health, Kroger and Rite Aid, with a combined 60,000 locations nationwide — said they allow pharmacy staff members to hand over customers’ medical records in the store.
So there you go: CVS, Kroger, Rite Aid are clearly sending us to their competitors. In most places, it's easy to shift prescriptions to a competitor.
> So there you go: CVS, Kroger, Rite Aid are clearly sending us to their competitors. In most places, it's easy to shift prescriptions to a competitor.
Where I am, every pharmacy is one of those three. There are no competitors to shift to.
Doesn't surprise me a bit. Deal with anything sensitive and companies are very prone to cooperating with the police rather than have them cause trouble when they don't get what they want right now.
Readit News
https://www.consumerfinance.gov/consumer-tools/credit-report...
Even if you don’t use insurance, it may still be possible to wind up on this list.
The Health Insurance Portability and Accountability Act, or HIPAA, regulates how health information is used and exchanged among “covered entities” such as hospitals and doctor’s offices. But the law gives pharmacies leeway as to what legal standard they require before disclosing medical records to law enforcement.
https://www.law.cornell.edu/cfr/text/45/164.512
And then there's the HHS interpretation of the above for providers, which is... porous:
https://www.hhs.gov/hipaa/for-professionals/faq/505/what-doe...
Of particular note are the exemptions in 45 CFR 164.512(k)(2) applicable to powers granted by executive order 12333 (on mass surveillance). When this exemption is used it makes discovering whether, when, how, or why your data was collected or used practically impossible.
Not only was there no way to refuse this but you were automatically enrolled unless you could provide that proof by a certain date.
I got into an argument with the student president about this because I considered it a massive overreach for the school to give my information to the student union who then turns around and gives it to a third party, and that this is just some how a part of completing post secondary education. He was adamant that it was both legal and ethical, and that there was no privacy violation that occurred.
I ended up opting out in time but a few months later I received an email from the insurance company stating that they had been hacked and they weren't quite sure what information had been leaked.
I've never found out what information was transmitted from the student union to the health insurance company, if the company managed to get access to my health records, or if that company has sold those records, or been acquired by a large company that has added those records to their collection, or what the hackers manged to steal.
I guess this is all legal because some student union that gets less than 9% of the student body to vote for them said so?
Of course life insurance companies will instead use the data to decide someone's premiums or whether to give them life insurance at all if a prescription shows up on that persons history when they try to sign up.
As long as everyone who's data is used has consented to it, then yes.
Is it anonymised or “anonymised”? (Put another way, are there zip codes?)
Apparently some digital video lawyers are trying to use it there.
And I don't know how well it blocked disclosures when cops asked.
Librarians at (good) public libraries are used to refusing disclosure.
But no, not pharmacies.
So utterly depressing.
There is more of course, such as insisting on the more private path when there is an option. Because often there is an option. Just not always.
Also this one is actually very easy to answer:
> Though some of the chains require their lawyers to review law enforcement requests, three of the largest — CVS Health, Kroger and Rite Aid, with a combined 60,000 locations nationwide — said they allow pharmacy staff members to hand over customers’ medical records in the store.
So there you go: CVS, Kroger, Rite Aid are clearly sending us to their competitors. In most places, it's easy to shift prescriptions to a competitor.
Where I am, every pharmacy is one of those three. There are no competitors to shift to.