By Joyce Hanson

Law360 (May 4, 2021, 8:24 PM EDT) -- The Massachusetts attorney general's office is questioning major pharmacy chains and other large retailers about their collection and use of personal data from COVID-19 vaccine recipients, saying it has concerns about why the companies are collecting personally identifying information from consumers.

A Monday letter from Massachusetts Attorney General Maura Healey to chains including CVS Health, Rite Aid Corp. and Walgreen Co. calls on the pharmacies to explain what kind of personal data they collect from vaccine patients. The AG's office asks the companies seven detailed questions about what disclosures they make to consumers when asking them to create accounts, whether they plan to use the data for commercial purposes, and whether the data is being stored separately from general customer information.

"We are reaching out in response to reports that personally identifying information is being collected from consumers who seek to obtain vaccinations from retail pharmacies," the letter said. "The reports echo concerns we have received on behalf of consumers who complain that they are required to provide personal data that is not necessary for the administration of their vaccination, and who worry that such personal data is being collected for unrelated marketing or other commercial purposes."

Also on the AG's mailing list were retailers Albertsons Companies Inc., Costco Wholesale, Retail Business Services LLC, Topco Associates LLC and Walmart. The letters are addressed to the companies' general counsel or government relations directors.

Healey's letter comes as a follow-up to an April 2 letter Data Privacy and Security Division chief Sara Cable received from the Electronic Privacy Information Center and a coalition of other civil society groups, warning that a line is being blurred between the public health task of administering vaccines and the commercial goals of the companies that are administering it.

"We are specifically concerned about the collection and use of personal data for commercial purposes unrelated to the administration of these life-saving vaccines," EPIC and the other groups told Cable.

While state and federal governments are trying to promote vaccines to the general public with the help of retail pharmacies, the companies are taking advantage of the coronavirus pandemic to require patients to register through their customer portals, "which in turn exposes patients to broad personal data collection and marketing," according to the groups' letter.

According to EPIC, the U.S. Centers for Disease Control and Prevention recently issued a directive prohibiting health providers "from using any data gathered in the course of their participation in the CDC COVID-19 Vaccination Program, including any protected health information or other personally identifiable information, for commercial marketing purposes."

The AG's letter, while thanking retail pharmacies for making vaccines more accessible to Massachusetts residents, also said that the government's expansion of vaccine eligibility to teenagers and children heightens concerns about unnecessary data collection and secondary uses of that data.

The seven detailed questions in Healey's letter ask, among other queries, what information is collected from people who view available vaccination appointments with retail stores in Massachusetts, whether consumers are required to create an account to sign up for a vaccination, and whether data collection is automatic unless the consumer opts out.

Question No. 6, for example, asks, "What do you intend to do with this data? Will it be used for marketing or business development purposes? Will it be shared with others? If so, with whom and why?"

Fraser Engerman, senior director of external relations for Walgreens, told Law360 in an email Tuesday that customers who schedule a COVID-19 vaccine with Walgreens become a patient of Walgreens pharmacy, and any information collected is "protected, used and disclosed" in accordance with the company's Health Insurance Portability and Accountability Act of 1996, or HIPAA, notice of privacy practices.

"The vaccine record becomes a component of the patient record, subject to state and federal records retention requirements," Engerman wrote. "Patient data collected during interaction with the pharmacy through a digital account is subject to the same obligations under HIPAA. HIPAA prohibits the sale of protected health information without explicit written patient authorization."

Mike DeAngelis, senior director of corporate communications for CVS Health, told Law360 in an email late Tuesday that patients when scheduling vaccinations on CVS.com are asked for certain demographic information such as race, ethnicity, age and location as part of the data reporting requirements to the CDC. The company also collects their contact information in order to send them appointment confirmations and reminders, according to DeAngelis.

"All information collected through our online scheduler is considered protected health information (PHI) under HIPAA and is subject to the CVS Pharmacy Notice of Privacy Practices," DeAngelis wrote. "Unlike others, we do not require patients to create an account on our website, or join our loyalty/rewards program, at any point in the COVID-19 vaccination process, and we do not use information collected during the vaccination registration process to market front store items or loyalty programs."

Representatives for Rite Aid did not immediately respond Tuesday to a request for comment.

Representatives for EPIC and the Massachusetts Office of the Attorney General could not be reached immediately for further comment.

--Editing by Ellen Johnson.

Update: This story has been updated with a comment from CVS Health.

For a reprint of this article, please contact reprints@law360.com.