Congress finds pharmacies give patient records to law enforcement without warrants

A sweeping congressional review of eight major pharmacy chains’ privacy practices found that none require a warrant prior to sharing customers’ records with law enforcement, and three of the eight do not require any legal review of such requests, according to an announcement Tuesday from Sen. Ron Wyden.

Wyden urged the Biden administration to revise Health Insurance Portability and Accountability Act (HIPAA) rules to better guard Americans’ pharmaceutical records from warrantless law enforcement requests. He cited the risks women face after the Supreme Court’s 2022 abortion decision as one of many reasons to quickly make the change, according to a letter sent to the Department of Health and Human Services (HHS).

HIPAA rules on pharmacy records are currently under review by HHS’s Office of Civil Rights, which has said it is focusing on better protecting reproductive health care information.

“Although pharmacies are legally permitted to tell their customers about government demands for this data, most don’t,” the letter from Wyden (D-OR) and co-investigators Reps. Sara Jacobs (D-CA ) and Pramila Jayapal (D-WA) said. “As a result, many Americans’ prescription records have few meaningful privacy protections, and those protections vary widely depending on which pharmacy they use.”

The investigation, which began in June, surveyed leadership at eight pharmacy chains: CVS Health; Walgreens Boots Alliance; Cigna; Optum Rx; Walmart Stores Inc.; the Kroger Company; Rite Aid Corporation; and Amazon Pharmacy.

Investigators found the following:

  • Of the eight, three fail to require legal review before submitting patient records to law enforcement: CVS Health, the Kroger Company and Rite Aid Corporation.
  • None of the eight require a warrant prior to sharing patient records.
  • Only CVS Health, Walgreens Boots Alliance and Kroger commit to publishing annual transparency reports.
  • Only Amazon Pharmacy alerts patients when it shares records with law enforcement.

CVS Health, the Kroger Company and the Rite Aid Corporation told the congressional investigators they do not require legal review of law enforcement requests because “their pharmacy staff face extreme pressure to immediately respond to law enforcement demands and, as such, the companies instruct their staff to process those requests in the store,” the letter said.

The lawmakers noted that CVS Health and Kroger defended their systems, arguing that pharmacy staff are trained to field the requests and can contact company lawyers if they want to.

Kroger did not respond to a request for comment and Rite Aid declined to comment.

CVS released a statement saying it is “committed to safeguarding the personal health information (PHI) of our patients.”

“Our pharmacy teams are trained how to appropriately respond to lawful requests from regulatory agencies and law enforcement,” the statement said. “Our legal team provides support and guidance on handling requests as well as determining whether requests are lawful.”

The CVS statement noted that the company is in compliance with HIPAA regulations, which it said do not require law enforcement to get a warrant or judge-issued subpoena before asking for records containing personal medical data. The statement said the company has suggested the rules be updated to include such requirements.

Amazon, the only other of the eight companies to comment, said it is committed to protecting its customers’ privacy and noted that records’ requests from law enforcement are very rare.

“When required by law, we cooperate with law enforcement officials and comply with court orders,” the statement said. “Amazon Pharmacy notifies a customer prior to disclosing health information to law enforcement as long as there is no legal prohibition to doing so.”

In July, Wyden, Eshoo, Jayapal and 44 other members of Congress also wrote to HHS, pressing the department to overhaul HIPAA and stop law enforcement from accessing Americans’ medical records without a warrant.

Among the changes being considered by HHS’s Office of Civil Rights are new protections banning the use or sharing of protected health data to identify, investigate or prosecute providers and “others involved in the provision of legal reproductive health care, including abortion,” according to the HHS website.

In the most recent letter to HHS, Wyden and his colleagues said that since HIPAA gives discretion to the department to “determine the standard of legal process that will govern disclosure of medical records,” HHS should “strengthen the minimum bar set in the current regulations to require a warrant.”

Wyden, Eshoo and Jayapal said the medical information that can now be legally shared with law enforcement without any safeguards is extremely sensitive, particularly given the pattern of women being prosecuted for traveling outside of state lines to obtain abortions and other controversial legal developments in the wake of the Supreme Court’s abortion decision.

“Americans’ prescription records are among the most private information the government can obtain about a person,” the members wrote. “They can reveal extremely personal and sensitive details about a person’s life, including prescriptions for birth control, depression or anxiety medications, or other private medical conditions.”

The members said the pharmacies’ lack of transparency is particularly troubling given the vast differences between their privacy practices.

“If the landscape were made clearer, patients will finally be able to hold pharmacies with neglectful practices accountable by taking their business elsewhere,” the letter said.

The requirement for a warrant to access pharmaceutical records would parallel a 2010 court decision requiring tech companies to obtain one before sharing users’ emails with law enforcement, the letter argued.

None of the pharmacies besides Amazon, Rite Aid and CVS responded to a request for comment.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Suzanne Smalley

Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.