Getty Images

MA AG Questions Retail Pharmacy Use of Patient COVID-19 Vaccine Data

In a letter sent to the leading US retail pharmacy chains, the Massachusetts AG calls into question the use of personal patient data from those who receive the COVID-19 vaccine.

After reports that personally identifiable information is being unnecessarily collected from patients seeking the COVID-19 vaccine, Massachusetts Attorney General Maura Healy sent a letter to retail pharmacy chain executives to gain insights into their processes for data collection.

The letter was sent to the C-Suite leaders of leading retail pharmacies, including Costco, CVS Health, Rite Aid, Walmart, Walgreen, Albertsons Companies, Topco, and Retail Business Services.

Pharmacies have been authorized to deliver vaccines to expand the much-needed distribution and support healthcare providers across the country. While a critical health initiative, multiple reports have raised privacy concerns around the data collection processes employed by these outlets.

Consumers have complained that retail sites require individuals to share personal data that’s unnecessary for vaccine administration. Healy explained that these individuals are also worried this information is being collected for unrelated purposes, such as marketing or commercial means.

“We understand that some personal information is necessary to establish vaccine eligibility, schedule appointments, and seek reimbursement from insurance carriers or the federal government,” Healy wrote. 

“We also appreciate that some consumers may want to participate in loyalty or other marketing programs offered by your companies,” she continued. “But access to life-saving vaccines should not be conditioned on a consumer’s consent to provide personal data not necessary for the vaccination administration.”

As the state expands vaccine eligibility requirements to those 16-years-old and older, these concerns over unnecessary data collection are paramount. Healy also stated that unnecessary data collection could further impact racial and ethnic disparities in distribution rates.

To assuage the public’s fears and promote public trust in the vaccine distribution processes, the retail pharmacy executives are being asked to address a number of key concerns, including what information is requested or collected from people who view, sign up, or obtain a vaccination with retail stores in Massachusetts.

Healy also asked for insights into whether consumers are required to create an account with the pharmacy chain to view, sign up, or obtain a vaccination, as well as the disclosures made to these individuals in connection with this data collection and or account creation.

The leaders must also explain how they obtain the consent of each consumer to collect their personal data, or whether the collection of data is automatic unless the individual has “opted-out”. Those with an “opt-out” process must explain what happens to the data when a user exercises that option.

Further, Healy is seeking insights into the purposes of each data collection element, as well as what data is truly necessary to obtain a vaccination and the reasoning for that decision.

“What do you intend to do with this data? Will it be used for marketing or business development purposes? Will it be shared with others? If so, with whom and why?” Healy asked. 

“If you are collecting personal data from consumers in connection with providing vaccinations that is not necessary for the administration and reimbursement of the vaccinations, is that data being stored separately, or otherwise segregated from, other personal information collected from the consumer for marketing or other commercial purposes?” she added.

Privacy has been a key concern throughout the pandemic with the rise in contact tracing apps and tech quickly deployed to support the response. As there is no federal privacy law, consumer data is protection through a patchwork of state laws. But there is much work to be done to fully protect user-generated data.

For example, Google was recently sued by users of the contact tracing app of the California health department for a security flaw that allegedly exposed user data.

A recently proposed framework from the Center for Democracy & Technology and the eHealth Initiative & Foundation could provide needed security measures for data that falls outside of HIPAA.

Next Steps

Dig Deeper on Health data access & privacy