The nation’s largest pharmacy chains have handed over Americans’ prescription records to police and government investigators without a warrant, a congressional investigation found, raising concerns about threats to medical privacy.
Though some of the chains require their lawyers to review law enforcement requests, three of the largest — CVS Health, Kroger and Rite Aid, with a combined 60,000 locations nationwide — said they allow pharmacy staff members to hand over customers’ medical records in the store.
The policy was revealed in a letter sent late Monday to Xavier Becerra, the secretary of the Department of Health and Human Services, by Sen. Ron Wyden (D-Ore.) and Reps. Pramila Jayapal (D-Wash.) and Sara Jacobs (D-Calif.).
The members began investigating the practice after the Supreme Court’s decision last year in Dobbs v. Jackson Women’s Health Organization ended the constitutional right to abortion.
The revelation could shape the debate over Americans’ expectations of privacy as Texas and other states move to criminalize abortion and drugs related to reproductive health.
Pharmacies’ records hold some of the most intimate details of their customers’ personal lives, including years-old medical conditions and the prescriptions they take for mental health and birth control.
Because the chains often share records across all locations, a pharmacy in one state can access a person’s medical history from states with more-restrictive laws. Carly Zubrzycki, an associate professor at the University of Connecticut law school, wrote last year that this could link a person’s out-of-state medical care via a “digital trail” back to their home state.
The Health Insurance Portability and Accountability Act, or HIPAA, regulates how health information is used and exchanged among “covered entities” such as hospitals and doctor’s offices. But the law gives pharmacies leeway as to what legal standard they require before disclosing medical records to law enforcement.
In briefings, officials with America’s eight biggest pharmacy giants — Walgreens Boots Alliance, CVS, Walmart, Rite Aid, Kroger, Cigna, Optum Rx and Amazon Pharmacy — told congressional investigators that they required only a subpoena, not a warrant, to share the records.
A subpoena can be issued by a government agency and, unlike a court order or warrant, does not require a judge’s approval. To obtain a warrant, law enforcement must persuade a judge that the information is vital to investigate a crime.
Officials with CVS, Kroger and Rite Aid said they instruct their pharmacy staff members to process law enforcement requests on the spot, saying the staff members face “extreme pressure to immediately respond,” the lawmakers’ letter said.
The eight pharmacy giants told congressional investigators that they collectively received tens of thousands of legal demands every year, and that most were in connection with civil lawsuits. It’s unclear how many were related to law enforcement demands, or how many requests were fulfilled.
Only one of the companies, Amazon, said it notified customers when law enforcement demanded its pharmacy records unless there was a legal prohibition, such as a “gag order,” preventing it from doing so, the lawmakers said.
Americans can request the companies tell them if they’ve ever disclosed their data under a HIPAA “Accounting of Disclosure” rule, but very few people do. CVS, which has more than 40,000 pharmacists and 10,000 stores in the United States, said it received a “single-digit number” of such consumer requests last year, the letter states.
CVS, the country’s largest pharmacy by prescription revenue, said in a statement that it is compliant with HIPAA and that its pharmacy teams are “trained on how to appropriately respond to lawful requests from regulatory agencies and law enforcement.”
“We have suggested a warrant or judge-issued subpoena requirement be considered and we look forward to working cooperatively with Congress to strengthen patient privacy protections,” company spokeswoman Amy Thibault said.
Most investigative requests come with a directive requiring the company to keep them confidential, she said; for those that don’t, the company considers “on a case-by-case basis whether it’s appropriate to notify the individual.” The company intends to begin publishing a transparency report that will include information on third-party record requests starting in the first quarter of next year, she said.
HHS did not immediately respond to requests for comment.
A Walgreens spokesman said the company’s law enforcement process follows HIPAA and other applicable laws. A Walmart spokeswoman said the company takes its “customers’ privacy seriously as well as our obligation to law enforcement.” Rite Aid declined to comment.
The other companies, including Amazon, did not respond to requests for comment. Amazon founder Jeff Bezos owns The Washington Post, and interim Post CEO Patty Stonesifer is a member of Amazon’s board.
Carmel Shachar, an assistant clinical professor at Harvard Law School who researches health law and policy, said that pharmacies hold a “ton of sensitive data” and that pharmacists are probably not trained to evaluate the merits or validity of a police request — or to turn an officer down.
“These need to go to someone who understands privacy law for review,” she said. “It probably feels very nerve-racking to get a subpoena and tell the person who gave it to you, ‘Oh, you’ll have to wait.’”
The pharmacy data could be especially concerning for the nearly 1 in 3 women ages 15 to 44 who a Post analysis found live in states where abortion is fully or mostly banned.
In Texas, Attorney General Ken Paxton (R) has warned pharmacies they could face criminal charges for providing women with “abortion-inducing drugs.” Kate Cox, a Dallas-area mother of two who sought an abortion after learning her fetus had a fatal genetic condition, left the state on Monday after the Texas Supreme Court blocked a lower-court ruling that would have allowed her to get the procedure.
Some states, such as Louisiana, Montana and Pennsylvania, offer additional protections for medical data disclosure, though federal law enforcement is not subject to their laws.
In their letter, the lawmakers called on HHS to strengthen HIPAA’s rules and ensure pharmacies insist on a warrant, which would require law enforcement go to court to enforce such requests.
The lawmakers noted that the tech industry had adopted a similar change in the early 2010s, when Google, Microsoft and Yahoo began demanding to see warrants before providing data on customers’ emails.
They also urged the companies to proactively notify customers and to publish regular transparency reports highlighting the volume of law enforcement requests.
“Americans deserve to have their private medical information protected at the pharmacy counter,” they wrote.