Skip Navigation

Pharmacies

It seems reasonable to assume that transactions at a pharmacy would be protected under HIPAA, since the pharmacy is the place the doctor sends the patient to pick up prescriptions. Reality is unfortunately not this straightforward, as different rules apply to different parts of the pharmacy business.

Page Contents

HIPAA and the Pharmacy Counter

At a business typically called a “pharmacy” in the United States, there is normally a pharmacy counter at which prescriptions are filled. The rest of the building is occupied by shelves containing over-the-counter products, cosmetics, food, and miscellaneous general merchandise. Furthermore, it is common for grocery stores and discount stores (like Walmart and Target) to have their own pharmacy counters. We already know from previous lessons that regular retail stores have privacy issues. But, these stores have pharmacies, so shouldn’t they be subject to HIPAA privacy regulations?

To answer this question, we need to look at HIPAA itself. Recall the title: Health Insurance Portability and Accountability Act of 1996. This law and its associated regulations are about regulating things related to health insurance, specifically situations where health insurance is paying for some kind of medical care.1 Generally speaking, the only things for which health insurance pays at a pharmacy are prescription drugs that are filled by the pharmacist. We normally have to pay for over-the-counter (OTC) medicines out of pocket. Certainly, health insurance doesn’t cover a snack from a standalone pharmacy or windshield wiper blades from Walmart. In addition, stores that do not fill prescriptions or have a pharmacy counter can still sell OTC medications.

Whether or not a transaction is covered by HIPAA at a pharmacy depends both on what is being purchased and – as a consequence of the way point of sale software works – possibly where in the store it is being purchased. Prescription drugs must be filled by the pharmacist and must be purchased at the pharmacy counter. Since health insurance normally covers these drugs, HIPAA applies. For this reason, the point of sale system at the pharmacy counter is typically configured to be separate from the systems used in the rest of the store. Thus, if a person buys OTC products like condoms and lubricant and pays at the self checkout up front, there are no privacy protections on the purchase. Even though it might not be required by law, the practicalities of the point of sale system mean that purchasing the same condoms and lubricant at the pharmacy counter will have greater privacy protections in spite of the potential for an awkward interaction with the cashier.2

Discount Programs

Pharmacies can sidestep HIPAA and add individuals’ prescription information to their marketing databases as long as the customer gives the pharmacy written authorization to do so, as is codified in the HIPAA Privacy Rule.3 Customers might not be so keen to let their protected health information be used for marketing if they’re asked for it directly. Consequently, pharmacies have found a way to encourage customers to waive their rights under HIPAA by agreeing to sign up for a pharmacy discount program that either reduces the retail price of their prescriptions or provides rewards for filling prescriptions at that pharmacy. An example of this practice may be found with the CVS ExtraCare Rewards at the Pharmacy program, which requires users to agree to let CVS use “health information, including … prescription history, vaccination history, [and] prescription status” to send them “marketing communications and information about programs, goods and services, including those funded by third parties.” Signing up for this program requires agreement that “the Program is not subject to HIPAA” and that information will be shared with other companies.4

It isn’t just the pharmacies that can talk individuals into giving up privacy rights in exchange for a discount. The third-party GoodRx program, which is widely advertised in TV commercials and pop-up displays at medical providers, offers discounts on prescription drugs to people who sign up for the program. Since GoodRx isn’t health insurance and is operating under a direct-to-consumer model, HIPAA doesn’t apply. GoodRx is a surveillance economy company: it exists to collect information from consumers and target them with advertising in exchange for modest discounts on some prescription drugs. Consumers who use GoodRx have their information shared with marketing companies, and this information historically included the names of the prescriptions they were taking.5 Although GoodRx was able to sidestep the HIPAA Privacy Rule with their business model, the Federal Trade Commission (FTC) took a dim view of their business practices and accused the company of sharing sensitive health data without the data subjects’ knowledge or consent. GoodRx settled with the FTC for $1.5 million.6

Governments and Big Tech

Marketers aren’t the only ones who want access to people’s prescription data. In early 2025, the Florida Office of Insurance Regulation demanded that pharmacy benefit managers – or the companies that handle prescription drug benefits for health insurance policies – hand over detailed information about prescription drugs filled in the state. Although this state office claimed it was trying to lower the cost of prescriptions for Florida residents, concerns were raised about the level of patient detail contained in the records, especially in light of the state’s six week abortion ban, abortion pill regulations, and restrictions on transgender care. In its order, the Florida Office of Insurance Regulation did not restrict the scope of its inquiry to Florida residents. Anyone who happened to fill a prescription while merely visiting the state would have their information shared.7

Another dubious collector of prescription information is Big Tech, which always seems to be looking for new ways to profile ordinary people. Thus, when Amazon launched its online drugstore in 2020, concerns were immediately raised about how Amazon would use prescription information and how it might combine that information with the trove of other data it has about Americans’ shopping habits. While prescription drugs are definitely subject to HIPAA, presumably requiring Amazon to set up different systems for handling these purchases, their privacy policy disclosed sharing information with “business associates” as a HIPAA exception. Given Amazon’s size, it still isn’t clear if the rest of the company is a “business associate” of the pharmacy.8

Mitigation

With respect to prescription drugs, the HIPAA Privacy Rule provides at least some protection, as long as you don’t sign away your rights by giving the pharmacy written authorization to use your information for marketing purposes. It is unfortunately too easy to sign away these rights, however, as the pharmacy can simply make an authorization clause a required part of some kind of discount or rewards program. Such programs should be avoided entirely in order to ensure that prescription information remains subject to HIPAA. One way to avoid signing up for a pharmacy program is to use the pharmacy only for filling prescription medication and declining the sign up offers. Purchase any other goods, including any OTC supplies, from a discount store instead (and probably at a lower price than at the pharmacy store, even with the discount or rewards applied).

Third-party discount programs should be viewed with considerable skepticism, since there isn’t an obvious business model for these companies apart from surveillance capitalism. That said, there may be times when a discount means the difference between being able to afford a necessary prescription and having to go without. In such a situation, first look to the company that makes the drug in question. That company may have available discounts for which an individual can qualify, and their information privacy might be better (relatively speaking) than the third-party discount programs. For individuals without prescription drug coverage, shopping around different pharmacies to find the lowest retail price might yield the same results as using a third-party discount program. In some cases, these third party programs might just be doing price comparisons between pharmacies and matching drug names to drug company discounts anyway. An individual using such a company is trading their privacy for a small amount of convenience, since they could obtain the same cost savings themselves with a little effort.

Notes and References

  1. Summary of the HIPAA Privacy Rule. U.S. Department of Health and Human Services. 

  2. Thomas Germain. “Guess What? HIPAA Isn’t a Medical Privacy Law.” Consumer Reports. June 13, 2022. 

  3. Marketing. U.S. Department of Health and Human Services. April 3, 2003. 

  4. Unlock ExtraCare Rewards at the Pharmacy. CVS. 

  5. Thomas Germain. “GoodRx Saves Money on Meds–It Also Shares Data With Google, Facebook, and Others.” Consumer Reports. March 6, 2020. 

  6. Steve Alder. “Judge Approves FTC’s $1.5 Million Settlement with GoodRx to Resolve FTC Act and Health Breach Notification Rule Violations.” The HIPAA Journal. February 28, 2023. 

  7. Reed Abelson and Rebecca Robbins. “Florida Seeks Drug Prescription Data With Names of Patients and Doctors.” The New York Times. March 5, 2025. 

  8. David Lazarus. “Do you really want Amazon’s new drugstore knowing your medical condition?.” Los Angeles Times. November 19, 2020. 

Medical Equipment

Health and Fitness Data
DNA Testing
Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.