Law enforcements can obtain prescription records from pharmacy giants without a warrant

America’s eight largest pharmacy providers shared customers’ prescription records to law enforcement when faced with subpoena requests, The Washington Post reported Tuesday. The news arrives amid patients’ growing privacy concerns in the wake of the Supreme Court’s 2022 overturn of Roe v. Wade.

The new look into the legal workarounds was first detailed in a letter sent by Sen. Ron Wyden (D-OR) and Reps. Pramila Jayapal (D-WA) and Sara Jacobs (D-CA) on December 11 to the secretary of the Department of Health and Human Services.

[Related: Abortion bans are impeding medication access.]

Pharmacies can hand over detailed, potentially compromising information due to legal fine print. Health Insurance Portability and Accountability Act (HIPAA) regulations restrict patient data sharing between “covered entities” like doctor offices, hospitals, and other medical facilities—but these guidelines are looser for pharmacies. And while search warrants require a judge’s approval to serve, subpoenas do not.  

Representatives for companies including CVS, Rite Aid, Kroger, Walgreens, and Amazon Pharmacy all confirmed their policies during interviews with congressional investigators in the months following Dobbs v. Jackson Women’s Health Organization. Although some pharmacies require legal review of the requests, CVS, Rite Aid, and Kroger permit their staff to deliver any subpoenaed records to authorities on the spot. Per The WaPo, those three companies alone own 60,000 stores countrywide; CVS itself employees over 40,000 pharmacists.

According to the pharmacy companies, the industry giants annually receive tens of thousands of subpoenas, most often related to civil lawsuits. Information is currently unavailable regarding how many of these requests pharmacy locations were honored, as well as how many originated from law enforcement.

Given each company’s national network, patient records are often shared interstate between any pharmacy location. This could become legally fraught for medical history access within states that already have—or are working to enact—restrictive medical access laws. In an essay written for The Yale Law Journal last year, cited by WaPo, University of Connecticut associate law professor Carly Zubrzycki argued, “In the context of abortion—and other controversial forms of healthcare, like gender-affirming treatments—this means that cutting-edge legislative protections for medical records fall short.”

[Related: The dangers of digital health monitoring in a post-Roe world.]

Zubrzycki warns that, “at the absolute minimum,” patients seeking reproductive and gender-affirming healthcare “must be made aware of the risks posed by the emerging ecosystem of interoperable records.”

“To permit people to receive care under the illusion that their records cannot come back to harm them would be a grave injustice,” she wrote at the time.