Save 10% on prescriptions, lose 75% on privacy? (updated)
It started with a private message I received on Twitter, asking me what I knew about the privacy policies of prescription discount services. The message provided a link to Medication Discount Card, a site that offers a free prescription discount card that advertises it can save you 10 – 75% on your prescription costs if you use the card at any participating pharmacy.
Again, I got a prompt response:
We do not collect any personally identifiable information from anyone using the pharmacy card. What we do collect is used internally, we do not sell or rent any lists to any partners or third parties.
Could it really be so simple? What do they consider personally identifiable information, and is it possible that any data they do collect could be easily re-identified? And where did it actually say that on their web site? In response to my query, the site added their statement to their FAQ (see Question 12).
Impressed with their responsiveness if not the detail of their statements, I tried one more time:
… Your statement about card use does not tell consumers what data you collect. Do you collect/retain their name, addresses, medication name, prescribing doctor name, etc.? Do you retain any payment info like credit card numbers?
How do you secure/protect information? Is it all encrypted using NIST-grade encryption?
People – and the govt – are becoming more sophisticated/concerned about data collection, retention, and usage. Your policy should address these issues in plain language.
That was a week ago. I never heard back from him, but I hope they’re thinking about being more specific in their statement about what they do collect and how it’s stored. And whether people can request that their records be deleted.
Medications are frightfully expensive and many of us do not have good insurance coverage. Will the need to save money trump concerns about data security and privacy? It probably will for many people. So…. as always, consumers need to be aware and informed and make sure you know what data about you are being collected and could be shared at some point.
Thanks to the follower who sent me the inquiry. I hope this answers your question.
Update: Following publication of the post, I received an email from MDC that apologized for the delay in responding and included the following clarification:
… right now we collect very minimal information from any patients. They do not even need to enter their name or email address before printing a card. The information the pharmacy collects does not get passed on to us due to HIPAA laws. The only piece of information we collect is the number of people that print discounts and which particular drugs they are for. We do not collect names, credit card information, location, or anything that could remotely identify that person.
Within the upcoming months we will be redesigning our website and will address these issues much more clearly.
Now that is very helpful information and somewhat reassuring. Of course, MDC is just one company and others may not have the same policies, so it’s always best to inquire.