Pharmacies shared patient records without a warrant, an investigation has found

Law enforcement agencies obtained the prescription records of thousands of Americans without a warrant from the nation’s largest pharmacy chains, a Congressional investigation has found, raising concerns about the companies’ handling of patient privacy.

Three of the largest pharmacy groups — CVS Health, Kroger and Rite Aid — do not require their employees to contact an attorney before releasing information requested by law enforcement, the investigation found. The other five — Walgreens, Cigna, Optum Rx, Walmart and Amazon — said they would require a legal review before granting such requests.

The policy was announced on Tuesday a letter to Xavier Becerra, the Secretary of Health and Human Services, from Senator Ron Wyden of Oregon and Representatives Pramila Jayapal of Washington and Sara Jacobs of California, all Democrats.

The investigation began in June, a year after the Supreme Court ended the constitutional right to abortion and cleared the way for Republican-controlled states to ban the procedure almost entirely. Reproductive health advocates and some lawmakers have since raised privacy concerns regarding access to contraception and abortion medications.

“Although pharmacies are legally allowed to inform their customers about government demands for their data, most do not,” the lawmakers wrote. “As a result, many Americans’ prescription data have few meaningful privacy protections, and those protections vary widely depending on the pharmacy they use.”

The investigation showed that pharmacies receive tens of thousands of legal requests for their patients’ pharmacy data every year. However, the companies indicated that a large majority of requests were filed in connection with civil lawsuits.

In July, nearly 50 Democratic members of Congress convened wrote to Mr. Becerra Urge the Department of Health and Human Services to expand regulations under the Health Insurance Portability and Accountability Act (HIPAA), which would require law enforcement agencies to obtain a warrant to access medical records and require patients to be notified when their files are requested to be released.

Since then, lawmakers have pored over the disclosure practices of major pharmacy chains.

During the congressional investigation, CVS, Kroger and Rite Aid “indicated that their pharmacy staff are under extreme pressure to immediately respond to law enforcement requests and as such, the companies are instructing their staff to process those requests in-store,” Mr. Wyden said. Ms. Jayapal and Ms. Jacobs wrote in their letter to Mr. Becerra.

“Americans’ prescription records are among the most personal information the government can obtain about an individual,” the lawmakers wrote. “They can reveal extremely personal and sensitive details about someone’s life.”

It then urged the Department of Health and Human Services to strengthen regulations under HIPAA “to better align them with Americans’ reasonable expectations of privacy and constitutional principles.”

“Pharmacies can and should insist on a warrant, and invite law enforcement agencies that insist on subpoena-only patient medical records to go to court to enforce that demand,” the letter said.

In a statement, a CVS spokeswoman said the company’s “processes are consistent with HIPAA” and that its pharmacy teams are trained to “respond appropriately to lawful requests.”

“We have proposed considering a warrant or subpoena by a judge and we look forward to working with Congress to strengthen patient privacy protections,” said the spokeswoman, Amy Thibault.

The Department of Health and Human Services has already taken steps to add language to HIPAA that would protect reproductive health data. In April, the department’s Office of Civil Rights proposed a rule That would prevent health care providers and insurers from passing on information to state officials trying to prosecute someone for seeking or offering legal abortion.

Michelle Mello, a professor of law and health policy at Stanford, said requiring a warrant instead of a subpoena for the release of pharmacy data “would not necessarily eliminate privacy concerns.” She also said informing patients about data disclosure, which lawmakers said would be “a major step forward for patient transparency,” would likely only happen after the fact.

While Professor Mello said most pharmacy data should be kept private, she said targeting pharmacy workers, who could be found in contempt of court for not complying with law enforcement demands for data, adds an extra layer of complexity.

“It’s not fair to give them the responsibility of being held in contempt of court and then fighting it,” she said.

But efforts by Democrats in Congress to support HIPAA reveal a long-standing misconception about the health care privacy law, which was signed into law in 1996, she said.

“People think HIPAA provides broader protection than is the case,” Professor Mello said. “It was not intended to empower health care providers to oppose deeply misguided, in my opinion, efforts to enforce laws that negatively impact patients.”