On Your Side Alert: CVS ExtraCare Rewards and HIPAA concerns

RICHMOND, VA (WWBT) - Privacy experts say CVS pharmacy customers need to be on alert. If you've signed up for the ExtraCare rewards program for prescription drugs, then you have signed a waiver giving up certain healthcare privacy protections under HIPAA.

If you sign up, you can earn up to 50 bucks a year in store credit. Sounds like a great deal - but consumer advocates say before you say yes, read the agreement. Saving that 50 bucks a year means signing away some of your HIPAA Rights; it's the privacy rule that protects your medical information.

Claire Gastanaga, Executive Director of the ACLU of Virginia says it's up to the consumer to understand what they are singing. "If I were a CVS customer, which I am, I would be looking very carefully at the fine print here," she says.

We couldn't get anyone on camera but CVS did issue a statement. It says, "Earlier this year, CVS/pharmacy launched a new ExtraCare Pharmacy & Health Rewards program to give members more ways to earn rewards for actions they take to stay healthy, such as filling prescriptions and getting a flu shot. Our pharmacy rewards program requires authorization from patients for it to access their prescription information in order to provide rewards based on the number of prescriptions they fill. This authorization is part of our extensive procedures, stringent policies and state-of-the-art technology in place to protect our customers' personal and health information.

The language in our authorization statement is required under the HIPAA privacy law. By signing the HIPAA authorization form, customers are authorizing CVS only to enroll in the Pharmacy & Health Rewards program and to count the number of prescriptions a customer fills as an individual so that we can reward them based on that number. We are committed to protecting the privacy of our customers and we do not share any of their personal information, which remains protected under consumer privacy laws."

Despite that promise, if you sign the waiver, you'll see it still allows "CVS/Pharmacy® and its affiliates to share prescription and other health service records" you share with the pharmacy.

 When we pressed more about that sharing clause, and what it meant, CVS says the language is required by HIPAA Law. The company says, "It is against the law to redisclose this information to third parties. Our Pharmacy is a HIPAA covered entity disclosing the number of prescriptions filled by a customer to our ExtraCare program, which is run by our retail business, a non-covered entity. That is the only info ExtraCare receives - number of prescriptions filled by a patient."

"For us, our concern is once they get it, who else is going to get access to it," Gastanaga says. We should point out customers don't have to sign up for the rewards program and can still use the pharmacy. Also, if you sign up and change your mind, you can opt out of the program and can you can cancel your HIPAA authorization.

Zach McCluskey, COO for Retreat Doctors' Hospital, says the CVS waiver is not surprising but calls it unique. He says he can't comment on CVS's reasoning or policies but for hospitals, protecting patient privacy is crucial. '"If you don't feel secure that your information is secure, you may not seek necessary treatment and you may be hesitant to share what is actually going on with you and you may not get the appropriate care that you need," he says.

Gastanaga, says this is all a reminder that consumer privacy is a constant battle. "There are drones that can fly over house and smell the bacon cooking in our kitchen or see a smile from 2 and half miles up. All of this technology is making it this more difficult to guard our privacy," she says.

Signing up for the rewards program is your choice, you just have to ask yourself is it worth it. We checked and Walgreens and Rite Aid have similar rewards programs but don't require a HIPPA waiver.

Helpful links:

Copyright 2013 WWBT NBC12.  All rights reserved.