No, I don't think it would be. The last four digits of a CC purchase at a pharmacy won't contain PHI. It will just say "pharmacy." But if you have some data to back that claim up, I'd love to read about it.
They probably have records for each individual (not just last four digits of CC); I don't think it's hipaa violation as long as the records don't contain personally identifying information.
Maaaybe it’s against some law or privacy policy or mandatory annual training.
But do you honestly believe companies follow laws and policies if they think they can get away with not?
And even if you can ignore that corporations are regularly -publicly- wrist-slapped for failings in those areas and still believe they are virtuous, privacy-respecting, law-abiding entities (rofl) … are you ready to argue that no executive or other employee ever, (knowingly or unknowingly) uses data to run a calculation or check a theory against published policy?
The only thing that surprises me about the above scenarios is there’s a human alive who would believe their improbabl3a let alone, as “can’t” would imply, impossible.
I've never worked in the medical industry but I know many people who have, who basically told me HIPAA violations are extremely common and only enforced for a fraction of violations that actually occur. My ex used to work in medical insurance (for a very, very big company) and estimated that maybe 3% of HIPAA violations are actually enforced. I used to think HIPAA was a huge deal until she told me story after story of violations that were ignored.
I think HIPAA is the sort of thing where if you hear about it then it's taken seriously, but the overwhelming number of violations are just ignored and you never hear about them. I'd like to be wrong but unfortunately that's the information I've been fed by people more knowledgeable than me.
They don't have to know anything about the specific person to correlate data they likely already have in their POS system.