1 Company Wanting to Buy Your Health Privacy

Horrors! A big corporation is looking to snatch your health-care privacy rights for a mere pittance to do who-knows-what with your prescription drug use information.

That's one view. Another take is that a successful company serving millions of people is simply hoping to retain customers and market to them more effectively -- as well as reward them in the process -- without skirting federal laws.

This big corporation is CVS Caremark (CVS 1.49%). In February, CVS expanded its popular ExtraCare customer rewards program to include prescription drug purchases. The company will pay customers $5 for every prescription filled in store credits -- up to $50 each year --  for enrolling in its ExtraCare Pharmacy and Health program. The catch is that customers must agree to sign  "HIPAA Authorization form" to participate. It's this HIPAA requirement that has stirred some controversy.

Hooplah over HIPAA
In case you're not familiar with HIPAA, the acronym stands for the Health Insurance Portability and Accountability Act. The federal law, passed in 1996, included significant changes for the health care industry. One of those changes was the Privacy Rule, which regulates how protected health information can be used and disclosed by health-care providers, insurers, and other entities.

CVS anticipated that some customers would wonder why they need to sign a HIPAA authorization to participate in the ExtraCare prescription drug program. That's why the company addressed the issue on its website. CVS says that the HIPAA Authorization needs to be signed to allow its pharmacy business unit to "record the prescription earnings of each person who joins the ExtraCare Pharmacy & Health Rewards program."

That doesn't sound too bad. However, when you go through the enrollment process for ExtraCare, you must acknowledge that your "health information may potentially be redisclosed and thus is no longer protected by the federal Privacy Rule." Recording prescription earnings is one thing, but giving up your rights to have your health information protected from disclosure is another matter altogether.

What really makes the CVS requirement puzzling is that several of its key competitors don't require customers to sign a HIPAA authorization to join their rewards programs. Walgreen (WBA 3.69%) offers its Balance Rewards program that allows customers to earn points on prescription drug purchases that can be redeemed for discounts on future purchases. The company specifically states on its website that its any information collected through the program will be handled in a way that fully complies with HIPAA.

Rite Aid's (RAD 20.00%) Wellness+ program works in a similar manner to the loyalty programs for both CVS and Walgreen. Like Walgreen, though, Rite Aid doesn't require customers to relinquish any rights to privacy protection.

So why does CVS push customers to sign the HIPAA authorization? The company's privacy policy states that CVS won't sell personal information for marketing purposes. However, the policy does say that "in limited circumstances" the company may share information with third parties to provide customers "with technologies, services, or content that may be of interest" or to assist CVS in processing orders.

This privacy policy goes beyond what the HIPAA Privacy Rule allows for protected health information (which includes prescription drug purchases). My guess is that CVS Caremark's legal eagles wanted to put the HIPAA authorization in place to at least keep the door open for sharing prescription drug purchase information with third parties at some point like it does for other purchases. To actually do so, though, would be a very unwise move for CVS because of the negative publicity it would undoubtedly bring.

Rewarding
There's no question that the reward programs have been highly beneficial for CVS. CEO Larry Merlo noted recently that the ExtraCare program boosts both sales and margin. The overall program has been in place for 15 years and now counts more than 70 million members.

And despite some of the controversy over how it handled HIPAA privacy, the expansion of ExtraCare to cover prescription drugs looks to be doing well. Mark Cosby, CVS Caremark executive vice president and CVS/pharmacy president, said two weeks ago that 3 million customers had enrolled.

Rite Aid has also experienced solid success from its program, which was launched in 2010. In June, the company stated that its loyalty program had 25 million members. During the fiscal 2014 first quarter, Rite Aid said that program members accounted for 70% of prescriptions and 77% of front-end sales.

Walgreen initiated its program in September 2012 and already has a whopping 79 million members. The company said recently that 60% of store purchases were made using the loyalty card.

Shareholders might be receiving even more rewards from these loyalty programs than customers are. So far this year, all three of these big pharmacy chains have handily beaten the major indexes. The better CVS, Rite Aid, and Walgreen get at personalizing marketing efforts, especially with prescription drug information in the mix, the higher those shares could go.