I started to wonder whether this was a HIPAA violation. How can her (closing...) pharmacy disclose all her prescription and medical info to a third party without her permission?
The details of the transfer matter, but I suspect that the transfer was part of a sale of the assets or stock of the old pharmacy that was closing to the “big box” pharmacy chain. In other words, the big box firm was buying out or merging with the local pharmacy. Under the HHS regulations for the HIPPA privacy rule, the sale by a covered entity of protected health information (PHI) is generally prohibited without the consent of the individual whose records are to be sold. But there is an exception to that: a covered entity does not need consent to transfer PHI “in connection with a sale or transfer of assets to, or a consolidation or merger with, an entity that is or will be a covered entity upon completion of the transaction.” 45 C.F.R. § 162.502(a)(5)(ii)(B)(2)(v). Pharmacies are generally covered entities. Thus, assuming that both pharmacies involved in a merger or asset sale were covered entitied and thus subject to HIPAA, the transfer of PHI between them would not violate HIPAA even though no consent had been obtained.
Indeed, as it happens, when HHS promulgated this rule, the example it gave was the sale of one pharmacy to another. In that situation, HHS explained the rule as follows:
“Under the final definition of ‘health care operations,’ a covered entity may use or disclose protected health information in connection with a sale or transfer of assets to, or a consolidation or merger with, an entity that is or will be a covered entity upon completion of the transaction; and to conduct due diligence in connection with such transaction. The modification makes clear it is also a health care operation to transfer records containing protected health information as part of the transaction. For example, if a pharmacy which is a covered entity buys another pharmacy which is also a covered entity, protected health information can be exchanged between the two entities for purposes of conducting due diligence, and the selling entity may transfer any records containing protected health information to the new owner upon completion of the transaction. The new owner may then immediately use and disclose those records to provide health care services to the individuals, as well as for payment and health care operations purposes. Since the information would continue to be protected by the Privacy Rule, any other use or disclosure of the information would require an authorization unless otherwise permitted without authorization by the Rule, and the new owner would be obligated to observe the individual’s rights of access, amendment, and accounting. The Privacy Rule would not interfere with other legal or ethical obligations of an entity that may arise out of the nature of its business or relationship with its customers or patients to provide such persons with notice of the transaction or an opportunity to agree to the transfer of records containing personal information to the new owner.” 67 Fed. Reg. 53190-53191.
In short, there is very likely not a HIPAA violation here. She may not like that her records were transferred to this particular pharmacy chain, but this kind of transaction happens a lot and the rules were designed to try to both protect patient privacy while at the same time not unduly burdening business.
Consider that in mergers of banks and financial institutions the same thing happens: transfers of protected financial information from one institiution to another without the consent of the customer. Since both participating businesses in the deal are subject to the privacy rules, the thinking is that the records are protected from disclosure to those who are not under a legal obligation to keep that information private and to restrict the use of that information as provided in the applicable privacy rules. Again, one may not like it when their small town bank is bought out by a huge world-wide bank and his/her records get transferred to that big bank, but the law allows for that nevertheless. Of course the law regarding health information privacy and financial information privacy are different in a number of details, but I just wanted to provide another example to show that this sort of thing is not all that uncommon.