top of page

CVS complaint raises question: Is it customer service or a HIPAA violation?

Patient Beth Joyner Waldron's social media presence, and a company's response to it, has raised a legal question.

For the last six months, Joyner Waldron has publicly critized CVS Health, its executives and Caremark, its pharmacy benefit manager, on Twitter for requiring her and other commercial enrollees to switch from Bristol-Myers Squibb's Eliquis to Janssen Pharmaceuticals Xarelto, both anticoagulants that experts say have not been proven interchangeable through randomized control trials. Observational studies have concluded the two are not the same.

Joyner Waldron tagged the company and several of its executives, including its CEO, in multiple Twitter posts. She called out the business during public testimony before the Federal Trade Commission.

Earlier this month, she received an unexpected call from a CVS employee, who said he wanted to talk about her health history. It raises the question: By using information from her private Caremark account to perform customer service, were the federal laws on the disclosure of patient information violated?

Joyner Waldron said the employee identified himself as a communications member of the office of the president, and that he called her because she tweeted a TV news story about CVS restricting Eliquis from its formulary.

"I've been tweeting for months now. Why now?" she told Modern Healthcare.

The CVS employee was a member of the company's customer care group, and reached out to Joyner Waldron because the business saw her tweets and wanted to address her concerns, "as we do for any complaint we receive from a PBM member," a spokesperson wrote in an email to Modern Healthcare.

The two spent nearly an hour discussing her personal medical information and health plan, Joyner Waldron said.

The CVS employee asked why she kept posting on Twitter if she was able to access Eliquis, she said. Joyner Waldron is retired and covered through the North Carolina state health plan, a self-insured employer that modified its formulary in February to cover Eliquis for its 727,000 members.

Joyner Waldron said she replied by asking how the employee gained access to her medical record and phone number. She said she was so put off that the employee supposedly pulled her information from her Caremark account that she filed a formal complaint against CVS. The complaint, filed April 18, alleges the company violated the Health Insurance Portability and Accountability Act. The U.S. Department of Health and Human Services investigates such complaints.

"As a patient with a life-threatening condition, I'm dependent upon my medications," Joyner Waldron said. "When my pharmacy benefit manager accesses my private medical information without need and is using that to influence my advocacy as a patient, that feels threatening."

The legal standard

Congress passed HIPAA in 1996 to create national standards around the technical, administrative and physical safeguards of patient medical data. In 2020, HHS received nearly 27,200 complaints, according to the most recent data from the agency.

Healthcare companies improperly exposing patient data through social media is rare.

However, HHS' Office for Civil Rights in March issued a $50,000 fine against Dr. U. Phillip Igbinadolor, a North Carolina dentist who responded to a patient's negative online review by posting the patient's name, treatment details and writing "get a life" on the office's Google page.

In that instance, Igbinadolor posted the patient's information publicly. Because Joyner Waldron was contacted privately to discuss her health information, her situation likely does not constitute a HIPAA violation, said Brad Rostolsky, a partner at law firm Reed Smith's HIPAA and health privacy and security practice. He compared Joyner Waldron's experience with that of a front-desk assistant accessing patient information to schedule an appointment.

"If somebody calls a provider to complain about something, I don't know that it would be strange for an office manager to get on phone and talk through it," Rostolsky said.

A critical discussion point would be whether Joyner Waldron and the employee's conversation centered on her as an individual patient or as a public advocate, said Erik Weinick, a partner at the law firm Otterbourg.

"Different people are seeking reasons when it comes to social media," Weinick said. "Sometimes it's to get the attention of a company, sometimes it's attention for themselves, sometimes it's just to troll and get people excited."

CVS' conduct likely poses more of a public relations risk, rather than a legal liability, he said. Joyner Waldron's posts have been shared by a number of not-for-profit medical groups, policy experts, drug pricing researchers, media outlets and more.

Joyner Waldron said she's happy she got the attention of CVS—she's wanted to discuss adding Eliquis back to Caremark's national formulary. She said she wishes the company had reached out to her on Twitter, asked her to provide her contact information and worked with her to schedule a time to talk. She said she wants CVS to update its customer service policies. By contacting her unexpectedly, she said she feels the corporation was trying to intimidate her and silence her tweets.

"The way this was done unnerved me because, again, I do depend on this company for access to my life-saving medications, and I don't want to jeopardize that," Joyner Waldron said.


bottom of page