[reaperducer]

I can't say if GoodRx is doing it, but Walgreen's seems to be selling information.

I was with a friend picking up his meds and I bleeped my rewards card to collect the points, since he didn't have one. Now I get offers in the mail to treat his condition.

[jetti]

So this has been a roller coaster. My initial thought was that this was a big HIPAA violation but then I decided to actually look to see if my assumption held up. According to the Department of Health & Human Services page on HIPAA and marketing [0], Walgreens can use personal health information (PHI) in marketing without violating HIPAA, as long as they have permission to do so.

So with that in mind, I went and looked at Walgreen's notice of privacy practices [1] and they say that they will get a written disclosure before using PHI (and that is restated in their Balance Reward ToS.

Bottom line is, if they are selling information then hopefully you're friend has signed a form authorizing use of the PHI otherwise Walgreens is violating HIPAA.

[0] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance...

[1] https://www.walgreens.com/topic/help/general/noticeprivacypr...