Jim Doyle reports:
Walgreens’ recent acquisition and immediate closure of three independent community pharmacies in the St. Louis area has raised questions about the privacy of customers’ prescription records.
Some former customers of the three sold pharmacies — the Williams Pharmacy in University City, the Clarkson Square Pharmacy in Chesterfield and Prescription Plus in the Central West End — have complained that, as part of the Nov. 30 sale, their medical files were transferred to Walgreen Co. without their consent, violating their privacy.
Read more on STLtoday.com.
This appears to be one of those situations where people feel violated because most of the public does not know that this type of transfer is perfectly legal under HIPAA. What I found most interesting about the news story was that some states require prior notice:
Missouri law does not require patient notification before a pharmacy sale or transfer of records. But some states, including Illinois and Iowa, do require notice. Under Illinois law, customers must receive 15 days notice before a pharmacy sale, including notice of where the customer’s records will be maintained. Iowa requires 30 days notice to consumers.
Maybe that provision should have been embodied in HIPAA itself, with notification to be provided either by the pharmacy itself or the business/pharmacy that is taking over the records. Of course, that would add cost to the process, and in the case of a bankruptcy sale, would be even more difficult for the original pharmacy, but as someone committed to patient control and consent, I think it’s worth raising the issue (again).