RICHMOND, VA (WWBT) - Privacy experts say CVS pharmacy customers need to be on alert. If you've signed up for the ExtraCare rewards program for prescription drugs, then you have signed a waiver giving up certain healthcare privacy protections under HIPAA.
If you sign up, you can earn up to 50 bucks a year in store credit. Sounds like a great deal - but consumer advocates say before you say yes, read the agreement. Saving that 50 bucks a year means signing away some of your HIPAA Rights; it's the privacy rule that protects your medical information.
Claire Gastanaga, Executive Director of the ACLU of Virginia says it's up to the consumer to understand what they are singing. "If I were a CVS customer, which I am, I would be looking very carefully at the fine print here," she says.
We couldn't get anyone on camera but CVS did issue a statement. It says, "Earlier this year, CVS/pharmacy launched a new ExtraCare Pharmacy & Health Rewards program to give members more ways to earn rewards for actions they take to stay healthy, such as filling prescriptions and getting a flu shot. Our pharmacy rewards program requires authorization from patients for it to access their prescription information in order to provide rewards based on the number of prescriptions they fill. This authorization is part of our extensive procedures, stringent policies and state-of-the-art technology in place to protect our customers' personal and health information.
Despite that promise, if you sign the waiver, you'll see it still allows "CVS/Pharmacy® and its affiliates to share prescription and other health service records" you share with the pharmacy.
"For us, our concern is once they get it, who else is going to get access to it," Gastanaga says. We should point out customers don't have to sign up for the rewards program and can still use the pharmacy. Also, if you sign up and change your mind, you can opt out of the program and can you can cancel your HIPAA authorization.
Zach McCluskey, COO for Retreat Doctors' Hospital, says the CVS waiver is not surprising but calls it unique. He says he can't comment on CVS's reasoning or policies but for hospitals, protecting patient privacy is crucial. '"If you don't feel secure that your information is secure, you may not seek necessary treatment and you may be hesitant to share what is actually going on with you and you may not get the appropriate care that you need," he says.
Gastanaga, says this is all a reminder that consumer privacy is a constant battle. "There are drones that can fly over house and smell the bacon cooking in our kitchen or see a smile from 2 and half miles up. All of this technology is making it this more difficult to guard our privacy," she says.
Signing up for the rewards program is your choice, you just have to ask yourself is it worth it. We checked and Walgreens and Rite Aid have similar rewards programs but don't require a HIPPA waiver.