CVS Caremark
CVS has pulled all tobacco products from its shelves. Reuters
CVS
A CVS pharmacy is seen in New York City, July 28, 2010. Reuters/Mike Segar

A new drugstore loyalty program is offering sweet rewards for prescription holders, but some privacy advocates are calling it a bitter pill.

CVS Caremark Corporation (NYSE:CVS), the nation's largest drugstore chain, is coming under fire this month for its ExtraCare Pharmacy & Health Rewards program, which critics say forces consumers to waive their health-information privacy rights in exchange for deals.

The program, launched in February, boasts annual rewards of up to $50, but to enroll, customers are required to sign an HIPAA authorization form. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, the federal law that that set national standards for the security of electronic-protected health information. The law contains confidentiality provisions that allow consumers to control who sees their health information, including which medications they take.

CVS says its HIPAA authorization simply allows the drugstore to “record the prescription earnings of each person who joins,” but David Lazarus, a business columnist for the Los Angeles Times, says there's more to it than that. In an Aug. 15 column, he noted that signing the authorization requires customers to acknowledge their “health information may potentially be re-disclosed and thus is no longer protected by the federal Privacy Rule.”

Lazarus criticized CVS for not explaining to customers what HIPAA is or what the implications are for forgoing their privacy rights.

“What CVS calls a ‘HIPAA Authorization,’ … is not to be taken lightly,” he wrote.

Lazarus column has sparked similar stories elsewhere, including a report on Wish-TV in Indiana, which quoted Indiana University professor David Orentlicher as saying that the HIPAA authorization could put consumers’ health information at risk.

“That’s why there’s a federal law,” Orentlicher told the television station. “So it’s not up to the whims of corporate executives whose primary objective in the end is to increase the profits of their shareholders and that’s not always in the patient’s health interest.”

Mike DeAngelis, director of public relations for CVS Caremark, told International Business Times in an email that he believes the story is being misreported. He said the language in its authorization statement is required under HIPAA privacy law, but he insists that customers are only authorizing CVS to count the number of prescriptions a customer fills so that it can reward them based on that number.

“We are committed to protecting the privacy of our customers and we do not share any of their personal information, which remains protected under consumer privacy laws,” DeAngelis said.

Lazarus’ report has brought wider attention to the issue, but as far back as January, there had already been rumblings on several message boards from consumers concerned about the wording in the CVS authorization.

Privacy Rule authorizations aren't uncommon among health insurers and health care providers who electronically transmit information. According to the U.S. Department of Health and Human Services, entities seeking authorization are required to provide a statement acknowledging the possibility that health information could be redisclosed by the recipient. The law, however, doesn't require CVS to assess the likelihood of that risk (which it doesn’t), only that it lets customers know that information disclosed is no longer covered by the Federal Privacy Rule.

Other drugstore chains such as Walgreen Company (NYSE:WAG) don't require an HIPAA authorization as part of their rewards programs.