When you go to a pharmacy, you expect a certain level of confidentiality. Even if you don’t know the ins and outs of the law, most Americans are aware of the Health Insurance Portability and Accountability Act (HIPAA) laws that protect their privacy when it comes to medical matters. However, it appears that not all pharmacy workers take that responsibility seriously, as a recent New York case illustrates.
When Michael Feinberg went to the CVS on Merrick Road in Long Island with a prescription for Viagra, he explained that he would pay for the medication himself rather than using his insurance. The medication, which is used to treat erectile dysfunction, costs more than $60 per pill, but he presumably wanted to keep his usage to himself.
A few days later, however, he was shocked to discover that a pharmacy worker told his wife about it. She had called to check on a prescription of her own when the worker started talking about his Viagra pills. He says this caused his marriage to break down, although he didn’t specify why, and he is now suing CVS for damages.
In a lawsuit filed in the Nassau Supreme Court, Feinberg alleges that CVS violated his privacy under the HIPAA act. The federal law requires that patients give permission before “confidential protected healthcare information” like this is revealed to others. According to the suit, the worker at CVS “improperly” told his wife – without solicitation – that the Viagra prescription wouldn’t be covered by insurance. He said his wife was a “third party” who didn’t have the right to know about the prescription.
The man is seeking damages for what he termed “genuine, severe mental injury and emotional harm”, accusing the pharmacy of negligence.
For its part, a CVS spokesman said, “We also place the highest priority on protecting the privacy of those we serve, and we take our responsibility to safeguard confidential information very seriously.”
CVS at the center of several privacy controversies
It’s not the first time that CVS has found itself named in a lawsuit for violating people’s privacy. Last year, the chain came under fire after mailing letters that revealed more than 6,000 people’s HIV-positive status just above their name and address through the clear window on the envelopes used to mail them. Plaintiffs in the suit were concerned about the stigma of having their status known, particularly those who live in a small town. Their attorneys say that CVS didn’t announce the privacy data breach and failed to contact everyone whose status had been revealed.
In 2009, CVS paid $2.25 million to settle a HIPAA privacy case in which they were found to be disposing of protected health information improperly in insecure dumpsters that the public could access. They were required to put a strong “corrective action plan” in place as part of the settlement that involved changing their policies regarding disposing of health information and improving related training and sanctioning.
These are just a few of the incidents that have come to light in which CVS showed carelessness when it comes to protecting patient privacy. It’s safe to imagine that there have been plenty of other incidents that we aren’t aware of. Moreover, the Health and Human Services Department reports that it expects to get around 17,000 HIPAA privacy violation complaints this year, so it’s also a problem that certainly stretches beyond one pharmacy chain.
With so much personal information about everybody already available on the internet, healthcare is one of the few realms where people still think they can enjoy a shred of privacy – but it probably won’t be long before a simple online search will tell you all the medications everyone you know has taken.
Sources for this article include: