The National Community Pharmacists Association announced that it has joined several consumer privacy groups (Consumer Action, U.S. Public Interest Research Group, Patient Privacy Rights, Private Citizen, and Privacy Journal) in asking the U.S. Department of Health and Human Services’ Office for Civil Rights and the Federal Trade Commission to investigate CVS Caremark for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). NCPA represents the pharmacist owners, managers and employees of more than 22,000 independent community pharmacies in the United States. The press release explains:

The Health Insurance Portability and Accountability Act (HIPAA) allows CVS Caremark access to information on patients covered by its pharmacy benefit manager division for administering claims and other limited purposes. Ninety-three company letters collected by NCPA document CVS Caremark tapping into personal medical histories for marketing purposes, such as to urge patients to switch an existing prescription from their independent community pharmacy to a CVS retail or Caremark mail order pharmacy. Even solicitations regarding prescriptions of a sensitive nature were mailed, increasing the risk that a neighbor or other unauthorized person might inadvertently learn of a medical condition. A redacted example letter can be found here.

In the letter (pdf), the groups claim: “We have collected over 300 complaints covering a wide range of deceptive, fraudulent or otherwise egregious practices. One of the most common complaints we have received clearly indicates that CVS Caremark, in its role as a pharmacy benefits manager, has been accessing protected health information entrusted to them for pharmacy claims administration by health plans and competitor pharmacies in order to steer patients to CVS pharmacies for their own financial gain.”

The groups said a significant number of the types of letters sent by CVS Caremark to customers “involve protected health information that may be considered particularly sensitive. The letters that have been highlighted in this correspondence specifically list the names of the prescription medications that have been prescribed to the covered beneficiary. Many of the letters involve medications specifically prescribed to treat sensitive medical conditions — the type of information that patients typically have a greater expectation or need for confidentiality.”

The groups noted, “At the time that the CVS Caremark merger was contemplated and approved, CVS Caremark principals assured FTC officials that there would be a ‘firewall’ between the pharmacy benefit management functions of the corporation and the retail pharmacy function. It is obvious that a firewall is clearly not operational or is being blatantly circumvented.”

The groups highlighted that CVS Caremark recently had to settle charges the company violated patient privacy rights. In February, CVS Caremark agreed to settlements with the FTC and the US Department of Health and Human Services after being charged with violating federal laws by failing “to implement reasonable and appropriate procedures for handling personal information about customers and employees,” and by making unfair and deceptive claims concerning CVS Caremark’s security practices.

“In light of the fact that CVS Caremark has been cited for HIPAA violations in the recent past, we feel that the examples that we have collected speak to a systemic, corporation-wide disregard for health care information privacy.” the groups said.

This entry was posted on Tuesday, November 24th, 2009 and is filed under Identification, Medical data, Technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Possibly related posts:

• Bloomberg: CVS Accused in Suit of Selling Customer Data to Drugmakers
• World Privacy Forum: Patient’s Guide to HIPAA: How to Use the Law to Guard your Health Privacy
• CVS Settles Patient Privacy Cases with Federal Trade Commission, Health and Human Services