The National Community Pharmacists Association (NCPA) and several consumer and privacy groups—Consumer Action, U.S. Public Interest Research Group (PIRG), Patient Privacy Rights, Private Citizen, and Privacy Journal—are asking the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) to investigate potentially illegal activity by CVS Caremark.

The Health Insurance Portability and Accountability Act (HIPAA) allows CVS Caremark access to information on patients covered by its pharmacy benefit manager division for administering claims and other limited purposes. Ninety-three company letters collected by NCPA document CVS Caremark tapping into personal medical histories for marketing purposes, such as to urge patients to switch an existing prescription from their independent community pharmacy to a CVS retail or Caremark mail order pharmacy. Even solicitations regarding prescriptions of a sensitive nature were mailed, increasing the risk that a neighbor or other unauthorized person might inadvertently learn of a medical condition. A redacted example letter can be found here.

"The initial concerns about merging a giant drug store chain like CVS with a giant pharmacy benefit manager and mail order pharmacy like Caremark have been prescient," said NCPA Executive Vice President and CEO Bruce T. Roberts, RPh. "Evidence suggests patient records are being accessed to steer patients away from their pharmacy of choice to a CVS or Caremark mail order. The FTC's ongoing investigation of the company indicates where there is smoke there might be fire."

Roberts added, "CVS Caremark's conduct also appears to violate HIPAA patient protections and warrants a formal investigation. Patient records are not commodities to be exploited. CVS Caremark consistently seems to be putting profits before patients. This latest practice indicates a willingness to seek financial gains at the expense of patients' privacy rights."

The groups' letter explains the gravity of what has been occurring. What follows are several excerpts:

"We have collected over 300 complaints covering a wide range of deceptive, fraudulent or otherwise egregious practices. One of the most common complaints we have received clearly indicates that CVS Caremark, in its role as a pharmacy benefits manager, has been accessing protected health information entrusted to them for pharmacy claims administration by health plans and competitor pharmacies in order to steer patients to CVS pharmacies for their own financial gain. Also, in light of the fact that CVS Caremark has been cited for HIPAA violations in the recent past, we feel that the examples that we have collected speak to a systemic, corporation-wide disregard for health care information privacy."

"Typically, a patient will receive a letter in the mail from CVS Caremark that indicates that 'according to their records' the patient has recently filled a prescription for a certain drug on a certain date at a pharmacy other than CVS. The letter includes the specific drug name, the date of the patient's last refill and the name of their pharmacy. The letter then includes instructions urging the patient to obtain all future refills at a CVS retail or mail order pharmacy. We have also collected some examples where patients have received similar letters that list their entire prescription fill history for the previous year, including the patient's medications, the dates of each refill, and all pharmacies used. These letters also urge patients to switch their prescriptions to CVS. Many times, upon receipt of such a letter, the consumer will visit their community pharmacist, oftentimes an independent pharmacy, confused and upset that CVS has access to their protected health information. "

A full copy of the letter can be viewed here.

CVS Caremark agreed in February to pay a $2.25 million fine for HIPAA violations centering around the improper disposing of patient records. Another investigation by the Federal Trade Commission (FTC) for anti-competitive violations was acknowledged by CVS Caremark on Nov. 5, 2009.

The National Community Pharmacists Association (NCPA®) represents America's community pharmacists, including the owners of more than 22,700 independent community pharmacies, pharmacy franchises, and chains. Together they represent an $88 billion health-care marketplace, employ over 65,000 pharmacists, and dispense over 40% of all retail prescriptions. To learn more go to www.ncpanet.org or to view their blog, The Dose, go to http://ncpanet.wordpress.com/.