It started with a private message I received on Twitter, asking me what I knew about the privacy policies of prescription discount services. The message provided a link to Medication Discount Card, a site that offers a free prescription discount card that advertises it can save you 10 – 75% on your prescription costs if you use the card at any participating pharmacy.
In looking at the site, I understood the inquiry as there was no privacy policy posted anywhere that described what data were collected if you used the card and what might happen to those data. So I contacted the site to ask about their privacy policy. A spokesperson replied promptly, and noted that somehow the privacy policy had not been restored when they did a recent update of their site. On receipt of my inquiry, he promptly re-uploaded and linked their web site’s privacy policy from the bottom of their home page.
But that was the web site privacy policy, which is important, but it was not the policy for data associated with any use of the card. I tried again:
Thank you for the web site privacy policy, but as my inquiry indicated, I am seeking the privacy policy for what happens to the data collected from usage of the discount card itself. Who gets access to those data, how are they shared, etc.?
Again, I got a prompt response:
We do not collect any personally identifiable information from anyone using the pharmacy card. What we do collect is used internally, we do not sell or rent any lists to any partners or third parties.
Could it really be so simple? What do they consider personally identifiable information, and is it possible that any data they do collect could be easily re-identified? And where did it actually say that on their web site? In response to my query, the site added their statement to their FAQ (see Question 12).
Impressed with their responsiveness if not the detail of their statements, I tried one more time:
… Your statement about card use does not tell consumers what data you collect. Do you collect/retain their name, addresses, medication name, prescribing doctor name, etc.? Do you retain any payment info like credit card numbers?
How do you secure/protect information? Is it all encrypted using NIST-grade encryption?
People – and the govt – are becoming more sophisticated/concerned about data collection, retention, and usage. Your policy should address these issues in plain language.
That was a week ago. I never heard back from him, but I hope they’re thinking about being more specific in their statement about what they do collect and how it’s stored. And whether people can request that their records be deleted.
Maybe everything is as he described it to me in e-mail, but I tend to be cautious about prescription data. Keeping in mind their privacy policy that allows them to include any data they have on you as a transferrable asset should they sell their business, how comfortable would you be using the card?
Medications are frightfully expensive and many of us do not have good insurance coverage. Will the need to save money trump concerns about data security and privacy? It probably will for many people. So…. as always, consumers need to be aware and informed and make sure you know what data about you are being collected and could be shared at some point.
Thanks to the follower who sent me the inquiry. I hope this answers your question.
Update: Following publication of the post, I received an email from MDC that apologized for the delay in responding and included the following clarification:
… right now we collect very minimal information from any patients. They do not even need to enter their name or email address before printing a card. The information the pharmacy collects does not get passed on to us due to HIPAA laws. The only piece of information we collect is the number of people that print discounts and which particular drugs they are for. We do not collect names, credit card information, location, or anything that could remotely identify that person.
Within the upcoming months we will be redesigning our website and will address these issues much more clearly.
Now that is very helpful information and somewhat reassuring. Of course, MDC is just one company and others may not have the same policies, so it’s always best to inquire.
Nice post. It’s disturbing that so many commercial databases exist with our private medical and prescription histories. I’m pretty sure most consumers are unaware that they exist, how they work, and what (if any) legal rights and protections for the consumer are in place.
Thank You for updating your post.
Just to clarify, the reason that I did not respond to his last email for some time was because I was away on vacation for the Easter holiday and I am the only one in the company qualified to answer such questions.
As Dissent can attest to, I have responded to all other inquiries in an extremely prompt manner.
You’re welcome, and yes, other than you thoughtlessly taking a vacation while I was still working, you’ve been very prompt and helpful.:)
Feel free to come back and let us know when your web site is updated. Perhaps it will serve as a model for others.