The CVS File Buy Program: Are Your Pharmacy Records Safe?

By Joseph J. Wang
Health Law & Policy Institute

A man diagnosed with AIDS walked into his neighborhood pharmacy to fill a prescription. For the past 20 years, he had patronized this particular mom-and-pop pharmacy because he felt that his prescription information would be confidential. He did not want his prescription and medical information stored in a chain store database, one that could be accessed by countless employees or by numerous health plans.

Unbeknownst to the man, the local pharmacy closed its doors one day and sold all his records to a national drugstore chain. In that year, the national chain had acquired the records of 350 independent pharmacies nationwide and would acquire the records of 300 more in the next. The man became distressed when he realized that his prescription information would now be part of a nationwide database and could be accessed by over 4000 stores and 97,000 employees.

These are the alleged facts in a New York class action lawsuit filed against CVS and Trio Drugs in Anonymous et al. v. CVS Corp, No. 604804/99. As part of its "independent file buy program," the national drugstore chain, CVS, would buy the pharmacy records of an independent pharmacy that closed down for business. And as part of its agreement with CVS, the independent pharmacy would not tell its customers that it was going out of business nor would it inform them that customer pharmacy records were being sold.

The anonymous plaintiff filed suit against the defendants, CVS and Trios Pharmacy, in a New York Supreme Court. On March 1, 2001, Judge Ramos certified the case as a class action suit, one that joins the 250,000 New York residents potentially affected by the file buy program. The judge denied the plaintiff’s claim based on state statutory law holding that those laws protecting medical information did not apply to pharmacists. However the judge refused to deny plaintiff’s claims that a pharmacy owes a fiduciary duty of confidentiality to its customers and that the defendants engaged in deceptive trade practices.

Fiduciary Duty of Confidentiality

In New York, and possibly nationwide, this case is one of first impression in addressing the issue of whether pharmacists and pharmacies owe their customers a fiduciary duty of confidentially with respect to prescription records. In his opinion, Judge Ramos wrote that "because pharmacists have a certain amount of discretion, and an obligation to collect otherwise confidential medical information, the court must find that customers can reasonably expect that the information will remain confidential."

The defendants argue that no such duty of confidentiality exists. They claimed that customer records were property of the pharmacy and the sale of these records were consistent and in compliance with state retention laws regarding pharmacy records. However this argument is weak in that it assumes that compliance with state retention laws satisfies the duty of confidentiality or that no duty of confidentiality exists without providing a reasonable basis for this conclusion.

If indeed there is a fiduciary duty of confidentiality as the court may find, the defendants breached the duty by their involvement with the sale and transfer of customer pharmacy records without customer consent. Although no state statutory law provides a remedy for breach in the pharmacy context, the plaintiff in this case could successfully argue a case for invasion of privacy, intentional or negligent infliction of emotional distress, or some other theory in tort for defendants’ conduct. The plaintiff, an AIDS patient, could prove that because of the sensitive nature of his pharmacy records, he suffered damages as a result of discrimination and that defendants’ breach of the duty of confidentiality was the cause of the resulting injury. In addition to a suit for breach of confidentiality, this plaintiff could sue under the relevant state statute protecting the confidential nature of HIV information.

Deceptive Business Practices

Lack of notice is the basis for the plaintiff’s second cause of action for deceptive business practices. The plaintiff claims that the pharmacies involved in the file buy program engaged in deceptive business practices by not giving customers notice that patient records would be transferred. The defendants could have notified the affected customers that the independent pharmacy would close its doors and that customer records were being transferred to the larger chain pharmacy. This notice would give customers of the independent pharmacy the opportunity to choose an alternate disposition of their records and the pharmacy would still remain in compliance with state retention laws. The judge allowed the claim stating "the practice of intentionally declining to give customers notice of an impending transfer of their critical prescription information in order to increase the value of that information appears deceptive."

Although the decision by Judge Ramos was a procedural one and does not create any new substantive law, the resolution of this case may mark the genesis of significant developments in the area of medical privacy in pharmacy practice. The duties and responsibilities of pharmacies may be expanded in coming years as medical privacy becomes a hot issue in Congress and state legislatures across the country.

Medical Privacy Laws

Federal law provides protection for individually identifiable health information. The recently enacted federal regulation authorized by the Health Insurance Portability and Accountability Act of 1996 is a comprehensive set of rules that provide various privacy protections for health information. Since pharmacy records contain medical histories and other individually identifiable health information, the federal regulation would cover these records. However, the regulation applies only to a limited number of entities, none of which include pharmacies or pharmacists.

State law may provide more protection for prescription records than federal law. For example, in the 77th legislative session (2001), Texas passed Senate Bill 11, a law that mirrors the HIPAA privacy standards with respect to the individual access, amendment, uses and disclosure, and accounting requirements. The new law also expands the application of these provisions to a broader universe of covered entities including pharmacies and pharmacists. Not all states have such strong privacy protection for medical information, however. State law in this area can be fragmented and weak. Pharmacists should be aware of laws in their state with regards to the collection, retention, use, and disclosure of medical records.