The Democratic-led, bicameral inquiry into patient privacy found that seven major pharmacy chains and Amazon Pharmacy provided patient prescription records to law enforcement without warrants.
The pharmacy chains included CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores, Inc., The Kroger Company and Rite Aid Corporation.
Of those that were surveyed by lawmakers, Amazon Pharmacy was the only one that said it had a policy of informing customers when their records were requested.
Three of the pharmacy chains — CVS Health, The Kroger Co. and Rite Aid Corp — said they allowed their staff to handle records requests in-store without a legal professional reviewing them.
They argued their staff are under pressure to respond to law enforcement immediately.
CVS Health said in a statement that its method for handling records request is compliant with HIPAA policy and aligns with “industry practices.”
HIPAA-covered entities like health insurers and providers can disclose protected health information to law enforcement under certain circumstances, including in response to a subpoena or if the entity believes the information is linked to a crime.
Amazon noted in a statement on Tuesday that “requests from law enforcement are rare, and represent a very small percentage of the prescriptions we fill for customers.”
Democratic Reps. Pramila Jayapal (Wash.), Sara Jacobs (Calif.) and Sen. Ron Wyden (D-Ore.) called on the Department of Health and Human Services to update HIPAA policy so that it reflects “Americans’ reasonable expectations of privacy and Constitutional principles.”
They argued that pharmacies should insist on warrants from law enforcement, noting that many records are turned over in response to just a subpoena that does not have to be reviewed by a judge before it’s issued.
Around the time of this inquiry, CVS, Walgreens and Kroger committed to publishing annual transparency reports on law enforcement requests for patient records. CVS’s first report will be published in the first quarter of 2024.