[alexwilde]

The article covers this:

The Health Insurance Portability and Accountability Act, or HIPAA, regulates how health information is used and exchanged among “covered entities” such as hospitals and doctor’s offices. But the law gives pharmacies leeway as to what legal standard they require before disclosing medical records to law enforcement.

[dragonwriter]

HIPAA law and implementing regs include broad allowances for disclosure to law enforcement, some of which involve some degree of subjective judgement on the part of the covered entity (and most of which do not require a warrant), but, no, it does not allow pharmacies (or any other covered entities) "leeway as to what legal standard they require" (emphasis added) before such disclosure.

See, generally, https://www.hhs.gov/hipaa/for-professionals/faq/505/what-doe... and the regulations cited therein.

[yold__]

I work in this space, and your comment is completely wrong. Data covered by HIPAA is always covered by HIPAA. A covered entity would also include a health insurer, and all payment intermediaries, this is straight from the HHS faq (https://www.hhs.gov/hipaa/for-professionals/faq/covered-enti...)

[alexwilde]

Did you read the article? I've read through what you've linked as well as this page: https://www.hhs.gov/hipaa/for-professionals/faq/190/who-must...

I'm not seeing anything that explicitly calls out Pharmacies.

[yold__]

https://www.hipaajournal.com/hipaa-compliance-for-pharmacies...

The police are breaking federal law and the article is wrong. This is not a gray area.

[alexwilde]

I don't think you read the article or the links you provided. It clearly states the police are obtaining this information through subpoena and not warrants:

In briefings, officials with America’s eight biggest pharmacy giants — Walgreens Boots Alliance, CVS, Walmart, Rite Aid, Kroger, Cigna, Optum Rx and Amazon Pharmacy — told congressional investigators that they required only a subpoena, not a warrant, to share the records.

And in the link you provided:

When might it be permitted for a pharmacy to disclose PHI to law enforcement officers?

Bearing in mind that, once in a designated record set, PHI could be an individual´s name or physical description, a pharmacy (or pharmacy staff) is permitted to – but not required to – disclose PHI to law enforcement officers in the following six circumstances:

as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests

In this case, the leeway in the standard here is what the pharmacy chooses to comply with. They are choosing to comply with subpoenas. This article points out how that standard could be higher (warrants).

[yold__]

https://www.hhs.gov/hipaa/for-professionals/faq/505/what-doe...

I really don't want to keep googling things for you. The police are not judicial officers. Yes, I've read the article.

[alexwilde]

You keep dropping links for me to chase instead of just reading between the lines. Police cannot issue their own subpoenas. Police are not judicial officers. However, they are getting judicial officers to write their subpoenas. A judicial officer does not have to be a judge, therefore the standard is lower than a warrant.

[bonestamp2]

Wow, that's a gaping privacy loophole.

[dekhn]

HIPAA was never a law about privacy of medical data. It's a law that governs the management of medical data, with very limited protections for privacy. I think most people misunderstand that law, its purpose, and its implications.

[ThinkingGuy]

The P in HIPAA stands for "Portability," not "Privacy."

[bonestamp2]

Sure, but privacy has been a design consideration of HIPAA since 2003.

[u32480932048]

HIPPA is the Privacy act ;)