Suit: CVS Caremark Violating HIPAAIndependent Pharmacies Allege Unfair Practices
The lawsuit against CVS Caremark also alleges violations of the Racketeer Influenced and Corrupt Organizations Act, or RICO, and trade secret misappropriation. It claims that CVS Caremark has failed to implement a "firewall" between its retail pharmacy unit and its pharmacy benefit manager unit, which accesses drug information from other pharmacies, as required when the Federal Trade Commission approved the merger of CVS and Caremark in 2007.
Use of Information Questioned"The combined company built an information technology platform that straddles all CVS Caremark's business segments, capturing in-depth patient data for marketing and other purposes in violation of HIPAA patient privacy laws," according to a release from the plaintiffs.
The plaintiffs are board members of American Pharmacies, a pharmacy wholesale buying group that's financing the lawsuit.
The suit alleges that CVS Caremark "mines the accumulated patient- and pharmacy-specific data to identify individual patient-buying practices, their physicians' prescribing practices and individual pharmacy business volume," according to the release. "CVS Caremark contacts patients via direct mail and phone calls about their prescriptions, urging, and in some cases, mandating, plaintiff's patients to use CVS Caremark retail or mail-order stores."
CVS ReactionIn a statement reacting to the lawsuit, CVS Caremark said, "We have learned that a new lawsuit has been filed and are in the process of reviewing its contents. CVS Caremark is confident that its business practices and service offerings, which are designed to reduce healthcare costs and expand consumer choice, are being conducted in compliance with applicable antitrust, privacy and other laws."
In early 2009, CVS Caremark agreed to pay a $2.25 million fine to settle FTC charges involving the improper disposal of patient information in dumpsters in violation of HIPAA.