Suit: CVS Caremark Violating HIPAA

Independent Pharmacies Allege Unfair Practices
Suit: CVS Caremark Violating HIPAA
Six independent pharmacies in Texas are suing CVS Caremark, alleging, among other things, that the company has violated the HIPAA privacy rule.

The lawsuit against CVS Caremark also alleges violations of the Racketeer Influenced and Corrupt Organizations Act, or RICO, and trade secret misappropriation. It claims that CVS Caremark has failed to implement a "firewall" between its retail pharmacy unit and its pharmacy benefit manager unit, which accesses drug information from other pharmacies, as required when the Federal Trade Commission approved the merger of CVS and Caremark in 2007.

Use of Information Questioned

"The combined company built an information technology platform that straddles all CVS Caremark's business segments, capturing in-depth patient data for marketing and other purposes in violation of HIPAA patient privacy laws," according to a release from the plaintiffs.

The plaintiffs are board members of American Pharmacies, a pharmacy wholesale buying group that's financing the lawsuit.

The suit alleges that CVS Caremark "mines the accumulated patient- and pharmacy-specific data to identify individual patient-buying practices, their physicians' prescribing practices and individual pharmacy business volume," according to the release. "CVS Caremark contacts patients via direct mail and phone calls about their prescriptions, urging, and in some cases, mandating, plaintiff's patients to use CVS Caremark retail or mail-order stores."

CVS Reaction

In a statement reacting to the lawsuit, CVS Caremark said, "We have learned that a new lawsuit has been filed and are in the process of reviewing its contents. CVS Caremark is confident that its business practices and service offerings, which are designed to reduce healthcare costs and expand consumer choice, are being conducted in compliance with applicable antitrust, privacy and other laws."

In early 2009, CVS Caremark agreed to pay a $2.25 million fine to settle FTC charges involving the improper disposal of patient information in dumpsters in violation of HIPAA.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.