December 12,2023

Wyden, Jayapal and Jacobs Inquiry Finds Pharmacies Fail to Protect the Privacy of Americans’ Medical Records; HHS Must Update Health Privacy Rules

Many Major Pharmacy Chains Provide Prescription Records to Law Enforcement Agencies Without A Court Order; Birth Control, Mental Health And Other Sensitive, Personal Conditions Can Be Revealed

Washington, D.C. – Senate Finance Committee Chair Ron Wyden, D-Ore., with Rep. Pramila Jayapal, D-Wash., and Rep. Sara Jacobs, D-Calif., revealed that major pharmacy chains fail to protect the privacy of their customers, in the results of a new inquiry released today. The members called on the Department of Health and Human Services to improve federal health privacy regulations to better protect Americans’ prescriptions and other health records held by pharmacies, and to conduct follow-up pharmacy privacy policy surveys and publish the findings. 

Wyden, Jayapal and Jacobs began their inquiry following the Dobbs Supreme Court decision that repealed Roe v. Wade. They asked eight major pharmacy chains — CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores, The Kroger Company, Rite Aid Corporation, and Amazon Pharmacy — how the companies handle law-enforcement requests for prescription and other health records. These findings reaffirm the importance of revising federal privacy regulations to require a warrant for law enforcement demands for Americans’ medical records, so that Americans’ medical records would receive the same protections under federal law as their emails and location data, as 47 members of Congress called for in a July letter

“Americans' prescription records are among the most private information the government can obtain about a person,” the members wrote to HHS Secretary Xavier Becerra. “They can reveal extremely personal and sensitive details about a person’s life, including prescriptions for birth control, depression or anxiety medications, or other private medical conditions.”

The members found that none of the major pharmacies require a warrant to share prescription records with law enforcement agencies, unless there is a state law that requires one. They also found that only CVS Health had committed to publish annual transparency reports about law-enforcement requests for records. During the inquiry Walgreen Boots Alliance and The Kroger Company also agreed to produce transparency reports. 

The inquiry also found that three companies — CVS Health, the Kroger Company and Rite Aid — said they do not require demands for records to be reviewed by a lawyer or paralegal. Instead, pharmacy staff are instructed to respond immediately to law enforcement demands. Finally, only Amazon Pharmacy has a policy of notifying customers about law enforcement demands for records, absent a legal prohibition on doing so.   

Wyden, Jayapal and Jacobs called on HHS Secretary Becerra to update federal health privacy regulations in light of their findings. 

“Americans deserve to have their private medical information protected at the pharmacy counter and a full picture of pharmacies’ privacy practices, so they can make informed choices about where to get their prescriptions filled,” the members wrote. “Our oversight has uncovered significant differences between the practices of major pharmacy chains under current HIPAA regulation and this initial inquiry resulted in immediate policy changes at some of these companies. If the landscape were made clearer, patients will finally be able to hold pharmacies with neglectful practices accountable by taking their business elsewhere.”

Read the full letter here.

Compare each pharmacy’s privacy practices here.

###