HIPAA covers "covered entities": health plans, healthcare providers, and clearinghouses, plus their direct business associates. What it does not cover, cleanly, is data that's been stripped of direct identifiers and then sold onward, or data collected by an app that never counted as a covered entity in the first place. Prescription data has spent decades moving through both of those gaps.
Who Sees It Before It's "De-Identified"
Pharmacy benefit managers, the companies that sit between insurers and pharmacies to process prescription claims, see every fill: drug, dose, prescriber, and patient. A handful of PBMs process the overwhelming majority of US prescription claims, which means a small number of companies have visibility into the medication histories of most insured Americans as a routine byproduct of doing their job, not as a special surveillance program.
Separately, prescription data aggregators such as IQVIA (formerly IMS Health) have built a business for decades on collecting prescriber-level and patient-level prescription data from pharmacies and PBMs, then reselling analytics back to pharmaceutical companies for market research and sales targeting. The data is typically stripped of the patient's name before resale, which is exactly the mechanism that keeps it outside HIPAA's core protections.
The Case That Made This Legal: Sorrell v. IMS Health
Vermont passed a law in 2007 restricting the sale of prescriber-identifiable data without the prescriber's consent, specifically to limit pharmaceutical marketing built on physicians' individual prescribing patterns. IMS Health and several pharmaceutical trade groups sued, and the case reached the US Supreme Court as Sorrell v. IMS Health in 2011. The Court struck down Vermont's restriction, ruling 6-3 that the law violated the First Amendment because it restricted speech (the data's use in marketing) based on the speaker and the message, not because the data itself was somehow protected.
Sorrell v. IMS Health was about prescriber data, not patient data directly, and about a First Amendment marketing-restriction claim, not a patient privacy claim. But the ruling entrenched the broader industry practice it grew out of: prescription data mining as a protected, ongoing commercial activity, with patient-level data one layer removed from the prescriber data the case was actually about.
Before Sorrell: A Circuit Split
Vermont wasn't the first state to try restricting prescriber data mining, and the years before Sorrell show how unsettled the question was. New Hampshire passed a similar restriction, and when IMS Health challenged it, the First Circuit Court of Appeals upheld the New Hampshire law in 2008 (IMS Health v. Ayotte), treating the restriction as a permissible regulation of commercial conduct. When Vermont's near-identical law reached the Second Circuit, that court struck it down instead, creating a direct circuit split on the same legal question. It was that split, two federal appeals courts disagreeing about the same kind of statute, that gave the Supreme Court a clean reason to take Sorrell and settle it nationally. The 2011 ruling didn't just decide Vermont's case; it foreclosed the New Hampshire-style approach everywhere.
What GoodRx Actually Did
In 2023, the FTC reached a settlement with GoodRx, the prescription discount and telehealth app, for sharing users' health information, including which medications they searched for and which conditions that implied, with Facebook, Google, and other advertising and analytics platforms, without adequately disclosing it. It was the first enforcement action under the FTC's Health Breach Notification Rule, a rule that had existed since 2009 without having been used this way before.
The GoodRx case is the clearest concrete illustration of the structural problem: a prescription-adjacent app is frequently not a HIPAA covered entity at all, which means the healthcare-specific privacy law most people assume applies simply doesn't reach it. The FTC's general consumer protection authority ended up being the tool that applied, not HIPAA.
Loyalty Cards and the Purchase-History Trail
Pharmacy loyalty and rewards programs add a lower-tech version of the same exposure. A purchase history that includes prenatal vitamins, smoking cessation products, or a pattern of specific over-the-counter purchases can imply health conditions or life circumstances without a single prescription being involved. These purchase histories are typically governed by the retailer's ordinary privacy policy, not by healthcare-specific rules, since a loyalty card transaction isn't a healthcare service in the way HIPAA defines one.
| Layer | Covered by HIPAA? |
|---|---|
| Your pharmacist and pharmacy's dispensing system | Yes, as a covered entity |
| Pharmacy benefit manager claims processing | Generally yes, as a business associate |
| De-identified data sold to aggregators like IQVIA | Effectively no, once identifiers are stripped |
| Discount/coupon apps not tied to a health plan | Often no, unless separately regulated |
| Pharmacy loyalty and rewards programs | No, governed by ordinary retail privacy policy |
What You Can Actually Do
Reading a discount or telehealth app's privacy policy before you use it for anything sensitive is the single most useful step, specifically checking whether it names third-party advertising platforms as data recipients, the same disclosure the GoodRx case turned on. Declining loyalty program enrollment for pharmacy purchases removes a purchase-history trail with minimal cost. Beyond that, the limit is that prescription data mining at the aggregator level is a long-settled, court-affirmed industry practice, not a loophole waiting to be closed, and the parts you actually control sit at the edges: which apps you use, and what you enroll in.
Why This Sits Differently Than Other Health Data
Medication data carries an inference problem that plain purchase history doesn't. A fill for an antidepressant, an HIV medication, or a fertility drug reveals a health condition directly, not as a probabilistic guess but as a near-certain fact, since there's usually only one reason someone fills that specific prescription. This is different in kind from the tracking concerns around reproductive health apps, which mostly infer conditions from behavior; a pharmacy fill is closer to a direct diagnosis leak. That's the reason the GoodRx settlement drew more attention than an equivalent case in almost any other data category would have: the data wasn't adjacent to health information, it effectively was health information, moving through a channel most users assumed HIPAA already covered.