by Craig Klugman, Ph.D.
How much is your privacy worth? Would you be willing to give up your rights to medical privacy for $50? The company CVS Caremark is betting that you would. Earlier this year, CVS began counting pharmaceutical purchases toward its rewards program. For every 10 prescriptions filled, a customer can receive $5 worth of credits to be used at CVS up to a maximum of $50 per year. Such programs are not new; Walgreens and Rite-Aid also offer rewards for prescription purposes. According to David Lazarus at the LA Times, the difference is that CVS requires customers to give up their HIPAA privacy rights to participate.
The Health Insurance Portability and Accountability Act of 1996 (also known as the Kenndy-Kassebaum Act) protects worker’s health insurance when they change jobs and establishes standards for electronic medical record security. The act also grants patients privacy in their health information. In general, insurers, health care providers, and health care entities must protect private health information (PHI). Such data can only be used with the patient’s express consent except for such uses as care of the patient, payment, and health care administration. In addition, a patient can request copies of medical records, request notification of how their PHI is used and who has accessed their records, and have inaccuracies to their records corrected among other rights.
CVS customers who want to add the prescription bonus to their rewards program must sign a HIPAA waiver on an annual basis. Lazarus says that the CVS form does not explain what HIPAA is. He says that CVS alleges they need the waiver in order to record the reward credits accurately. Lazarus criticizes CVS for the authorization requirement, insinuating that CVS may be using customer’s information for marketing or mysterious purposes. Essentially, by signing, customers are leaving open a door that could be exploited to violate their privacy, such as selling their information to other companies and be targeted for marketing based on the drugs they take or the health conditions they have.
Another perspective is that maybe CVS is the only honest player in this contested field. Using prescription information for a rewards program may be a violation of health privacy in and of itself (though only the courts or government regulators can rule on that point). If that is the case, then CVS is doing the better thing by being transparent and requesting permission. But they aren’t doing the right thing because the HIPAA waiver seems overly broad for such a narrow purpose.
Loyalty reward programs are hardly new. Back in 1896, Sperry & Hutchinson offered the first Green Stamps. Retailers bought stamps from S&H and gave them to customers for making purchases. Customers put the stamps into a booklet that could be redeemed for various goods. Today many retailers offer rewards programs in exchange for collecting customer’s information. That data is used for targeted marketing (ever wonder how retail stores start sending coupons for baby products before a woman often knows she’s pregnant—this is how). Knowledge of what customers want, when they want it, and how they want it is worth big bucks.
What perhaps makes the prescription loyalty programs concerning is that our health information is sensitive. Who knows our health status can have implications for insurance coverage, employment, and social stigma. Perhaps there needs to be a line in the sand, a place where we do not give up our privacy. Even in the age of people putting their every move and thought online, there are certain areas where privacy should and must remain.