A Local Pharmacy Is Acquired, Revealing a Major Flaw in Health Information Privacy Laws

Last week, without any warning to customers, one of my town’s last local independent pharmacies was acquired by a major pharmacy chain. Customers were given no advance notice whatsoever; apparently, as part of the deal, the acquirer required absolute silence on the part of all involved until after the transaction had closed.

As a result of such a policy, customers found out that a major pharmacy chain had obtained their private health-related information only after it already had their data in its systems; they were given no opportunity to prevent the transfer of that data, nor were they given advance warning that such a transfer would happen. Furthermore,  the independent store closed immediately upon completion of the sale, meaning that the primary asset that the pharmacy chain acquired was likely the independent pharmacy’s “book of business” – i.e., private healthcare data.

Today, such a transfer of data is legal. As long as an acquirer is another entity covered by the rules of the Health Insurance Portability and Accountability Act (HIPAA) – which a major pharmacy chain certainly is – it can not only freely acquire health care data through corporate acquisitions, it can even view such information during the due diligence process, during which it does not even have to anonymize such data.

But, should such transfers of private healthcare data – done without the knowledge (never mind authorization) of the people whose data is being transferred – be legal? Should any “covered entity” really be allowed to obtain your personal, health information without your knowledge or your consent?

What if someone is comfortable with a handful of employees at a small health-care provider knowing various details about his or her health, but not with a major pharmacy chain with thousands of pharmacy workers having access to such data?

What if someone does not trust the information security practices at an acquirer – or at least does not believe that they are as strong as those at acquired company?

What if someone’s data was actually stolen from an acquirer before he or she even knew that the larger provider had their data?

Do most Americans truly understand that, despite having to sign all sorts of paperwork related to privacy whenever they go to the doctor, hospital, or other healthcare facility, any “covered entity” with the money to acquire the provider, can obtain all of its data at any time and without any warning?

Do they understand that they may never find out which firms have obtained their private information as part of “due diligence” processes that did not ultimately yield transactions?

Perhaps, greater clarification for the public is needed.