ALEXANDRIA, Va.—The National Community Pharmacists Assn. and several consumer and privacy groups are asking the U.S. Department of Health and Human Services Office for Civil Rights and the Federal Trade Commission to investigate potential violations of the Health Insurance Portability and Accountability Act by CVS Caremark Corp.

In a letter sent to the director of OCR and the chairman of the FTC, the organizations—which also include Washington-based Consumer Action, Private Citizen Inc. and US PIRG; Austin, Texas-based Patient Privacy Rights; and San Diego-based Privacy Rights Clearinghouse—assert that they have collected “more than 300 complaints covering a wide range of deceptive, fraudulent or otherwise egregious practices” by CVS Caremark, which was created in 2007 by the merger of the drug store chain CVS with pharmacy benefit manager Caremark.

In particular, the groups are challenging letters sent by CVS Caremark to patients that identify the prescription drugs they are taking, the date of their last refill, and the name of the pharmacy used, urging them to obtain all future refills at a CVS retail or mail-order pharmacy.

The letter charges that “CVS Caremark, in its role as a pharmacy benefits manager, has been accessing protected health information entrusted to them for pharmacy claims administration by health plans and competitor pharmacies in order to steer patients to CVS pharmacies for their own financial gain.”

If these letters to plan members were “reminder letters” designed to relay information about health plan structure, they should not include specific information related to individual prescriptions, the groups assert.

“CVS Caremark places the highest priority on maintaining our customers' privacy,” the company responded in a statement. “We have extensive policies and procedures in place to safeguard our customers' sensitive personal and health information, and we follow federal and state laws in handling this information. Just as NCPA has challenged the convenient and affordable option of mail delivery commonly used by PBMs and other pharmacy retailers, NCPA is now challenging the convenient retail pick-up option CVS Caremark is offering for our PBM mail-delivery prescriptions.”

HIPAA privacy rules, which had applied to insurers and health plan sponsors, were extended to include “business associates,” such as PBMs and consultants, under the American Recovery and Reinvestment Act of 2009.

Meanwhile, the FTC has been conducting a nonpublic investigation into certain company business practices, Woonsocket, R.I.-based CVS Caremark acknowledged.

“CVS Caremark is cooperating fully in the FTC’s investigation. While we are not able to predict with certainty the timing, outcome or consequence of the investigation, we remain confident that our business practices and service offerings (which are designed to reduce health care costs and expand consumer choice) are being conducted in compliance with antitrust laws,” the company said in a statement.

Separately, CVS Caremark agreed in February to pay a $2.25 million fine for improperly disposing of patient records.