[jetti]

So this has been a roller coaster. My initial thought was that this was a big HIPAA violation but then I decided to actually look to see if my assumption held up. According to the Department of Health & Human Services page on HIPAA and marketing [0], Walgreens can use personal health information (PHI) in marketing without violating HIPAA, as long as they have permission to do so.

So with that in mind, I went and looked at Walgreen's notice of privacy practices [1] and they say that they will get a written disclosure before using PHI (and that is restated in their Balance Reward ToS.

Bottom line is, if they are selling information then hopefully you're friend has signed a form authorizing use of the PHI otherwise Walgreens is violating HIPAA.

[0] https://www.hhs.gov/hipaa/for-professionals/privacy/guidance...

[1] https://www.walgreens.com/topic/help/general/noticeprivacypr...