Federal Court Sides with Patients Over CVS Health's Attempt to Gut Non-Discrimination Protections

By: Ranier Simons, ADAP Blog Guest Contributor

The increasing consolidation of corporate health entities is of significant concern because of the vast number of lives affected. When companies control a substantial market share of services and products, every business practice has pervasive outcomes since so many end users are dependent on them. This is especially notable in the arena of prescription drug benefit management, where CVS Health is one of the most prominent players. CVS Health has a history of actions and practices that have proven to be problematic in the lives of many patients and consumers. Moreover, their practices have habitually adversely affected people living with HIV/AIDS (PLWHA). Recently, CVS unsuccessfully tried to evade a discrimination lawsuit due to their practices.

Photo Source: TheBody

In 2018, seven plaintiffs filed a class action lawsuit against CVS Health Corporation, claiming CVS discriminated against PLWHA based on their prescription plans' design and denying them meaningful access to their health benefits.[1] The employer-sponsored health plan the patients utilized, whose pharmacy benefits were managed by CVS, required them to use mail-order specialty pharmacy services or CVS chain pharmacy services to obtain their HIV medication and receive the in-network pricing. They could not use their preferred in-network community pharmacies without incurring significantly higher out-of-pocket costs.

Utilizing preferred in-network pharmacies results in optimal patient care and utilization of services. Local pharmacies allow face-to-face interactions with pharmacists familiar with patients’ medical histories and related needs. Additionally, they are often geographically more accessible than the CVS chain pharmacies. Mail-order dispensing can result in delayed medication, lost or stolen medication, damage to medicines due to exposure to the elements, and even privacy concerns.

Repeatedly, the plaintiffs petitioned both their employer and CVS to ‘opt-out’ to be able to use their preferred in-network pharmacy choices, which were considered in-network for non-HIV medications. Despite repeated communications and requests, neither CVS nor their employers allowed them to opt out.[1] As such, they brought the lawsuit alleging that CVS was engaged in discrimination based on HIV disability under the Affordable Care Act. CVS moved to have the case dismissed on several grounds.[2] Firstly, they argued that the case had no merit because several of the plaintiffs are now deceased. They also argued the case should be dismissed because a couple of plaintiffs are now on different plans not currently associated with the problematic CVS benefit issue in question. Most notably, they claimed that they were not aware that their policies directly affected the rights of a federally protected class. Additionally, they argued that the employers were responsible for not allowing the plaintiffs to opt-out, not CVS.

Photo Source: Chronic Disease Coalition

In April 2024, U.S. District Judge Edward Chen ruled that CVS’ request for dismissal would not be granted.[2] He ruled that CVS’s actions fulfilled the requirements of proving deliberate indifference. The legal term means that CVS was fully aware of the damage the benefit plan specifically had on the PLWHA’s medically necessary access to HIV medications but failed to act on it by making reasonable accommodations.[2] In addition to the well-documented communications between the plaintiffs and CVS, CVS internal reports indicated that CVS had been given previous legal guidance that their benefit design could be deemed discriminatory to a protected class. 

Judge Chen also ruled that CVS could not blame the employer. CVS was fully able to modify a plan structure whenever it wanted. Moreover, the plans CVS presented to employers to select for coverage contained financial incentives for forcing the use of mail-order and CVS-specific branded pharmacies for HIV medication and other specialty drugs.[2] It was proven that CVS had other plans that allowed patients to opt out but did not make those options available for the employers in question. Unfortunately, Judge Chen ruled against the plaintiffs, stating they could not sue for monetary damages from the thousands of dollars they had paid out of pocket to get their medications from their preferred community pharmacies. Regardless, the plaintiffs legally have standing for the case to proceed because of Chen’s denial of the dismissal. 

As a result, CVS was sued in a separate lawsuit in 2018 for errantly publicly disclosing the HIV status of over 6,000 Ohio residents.[3] The Ohio AIDS Drug Assistance Program (OhDAP) had a contract with CVS where CVS provided HIV medications to OhDAP clients and handled communications with those members. The suit alleged that in the third quarter of 2017, CVS mailed out a letter containing membership cards, information about how to obtain HIV medications, and other program information to 6,000 clients. This mailing was in an envelope with a clear plastic window with a short reference code for the mailing list, ‘PM 6402 HIV’ printed above the recipient’s name. The plaintiffs sought legal remedy because the mailer "resulted in the potential or actual disclosure of recipients' HIV status to numerous individuals, including their families, friends, roommates, landlords, neighbors, mail carriers, and complete strangers."[4]

Photo Source: KRSO

The mailing was not only negligent in its handling of protected health information but was seemingly profit-driven. At the time of the mailing, many of the recipients did not have an established relationship with CVS. The mailer was sent regardless of whether the recipients were active CVS pharmacy customers. It was a way to market the usage of not only CVS pharmacy benefit products but also its general health care delivery services.[5] In 2020, CVS agreed to settle the lawsuit for $4.35 million.[6]

CVS is not the only problematic player in the corporate healthcare arena. However, their actions and core paradigms are consistently antagonistic to the best interests of PLWHA and others utilizing specialty drugs. In a briefing presented to payors in 2021, CVS Caremark listed strategies it would employ to save money. Regarding activities in response to new drugs in the market, some of its planned actions included: initially blocking coverage of new drugs, reviewing for clinical appropriateness and cost-effectiveness prior to formulary decision, applying aggressive clinically appropriate utilization management criteria with rigorous approval requirements, strongly favoring generic use requiring objective evidence of need for newer agents, and selecting preferred agents generating lowest net cost option in each category.[7]

Jen Laws, CEO of Community Access National Network, summarily describes CVS, stating: “CVS engages in aggressive self-dealing practices and anti-competitive contract efforts to eliminate competition, drive patients to their own pharmacies (including by way of under reimbursement to independent, non-chain pharmacies and higher cost-sharing for patients utilizing their trusted pharmacies), and roundly limit access to care by weaponizing their PBM.” It seems that keeping a continued focus on CVS will be necessary to highlight and act against present and future practices that harm patients.

[1] Third Amended Class Action Complaint. (2023, October 24) ). Retrieved from https://consumerwatchdog.org/wp-content/uploads/2023/11/2023-10-24-241_Third-Amended-Complaint.pdf

[2] John Doe One et al. v. CVS Pharmacy Ruling. (2024, April 18). Retrieved from https://www.courthousenews.com/cvs-medication-program-discriminates-against-hiv-aids-patients-judge-says/john-doe-one-et-al-v-cvs-pharmacy-et-al-mtd-ruling/

[3] Doe One et al. v. CVS Health Corporation et al. (2018, March 21). Retrieved from https://dockets.justia.com/docket/ohio/ohsdce/2:2018cv00238/211764

[4] Faul, A. (2018, March 29). CVS Health unintentionally revealed HIV status of 6,000 customers: Lawsuit. Retrieved fromhttps://abcnews.go.com/Health/cvs-health-unintentionally-revealed-hiv-status-6000-customers/story?id=54095674

[5] Schladen, M. (2018, June 29). State, CVS sued over HIV mailing. Retrieved from https://www.dispatch.com/story/news/politics/elections/2018/06/29/state-cvs-sued-over-hiv/11624806007/

[6] AIMED Alliance. (2020, May 15). CVS Health to Settle Lawsuit for Revealing HIV Status of Over 4,500 Patients. Retrieved fromhttps://aimedalliance.org/cvs-health-to-settle-lawsuit-for-revealing-hiv-status-of-over-4500-patients/

[7] Accetta, L. (2021). Expanding therapies, indications and implications for payors: Pipeline trends that will drive change in 2022. Retrieved from https://business.caremark.com/insights/2021/expanding-therapies-indications-and-implications-payors.html   

Disclaimer: Guest blogs do not necessarily reflect the views of the ADAP Advocacy Association, but rather they provide a neutral platform whereby the author serves to promote open, honest discussion about public health-related issues and updates.  

DHHS Reports That Majority Of Data Breaches Expose Non-Health-Related Data

By: Marcus J. Hopkins, Policy Consultant

The U.S. Department of Health and Human Services released on September 23rd, 2019, a report in the Annals of Internal Medicine that found that the majority of information accessed in the over 1,500 protected health information (PHI) breaches reported over the last decade has been sensitive demographic information (e.g. – driver’s license number and Social Security Numbers – SSNs) and financial information including billing and payment information (Hlavinka, 2019). Only 2% of data breaches were found to expose sensitive medical information, such has HIV status, cancer diagnoses, or substance abuse, but 65% of these breaches exposed general medical or clinical information (Hlavinka).

According to the findings, over half of data breaches reported to HHS could be attributed to healthcare providers’ personal mistakes or negligence. This could include anything from failing to encrypt laptops, to using “CC” instead of “BCC” when E-mailing patients (Hlavinka).

Photo Source: evidencesolutions.com

HHS proposed regulatory, in March 2019, that would modernize the way that health information is shared by implementing certain provisions of the 21st Century Cures Act, including increasing the amount of data that is entered and shared electronically. The fundamental tradeoff of this modernization, however, is that health data will naturally become more susceptible to exposure. This last point is increasingly concerning considering the recent increase in so-called “Ransomware” cyber-attacks against public computer systems. Campbell County Health in Gillette, Wyoming, was hit, this month, with one such cyber-attack affecting all 1,500 of the systems computers, including the E-mail server, which resulted in the CCH having to divert patients from ERs starting on September 20th, 2019, as well as cancelling many exams, procedures, and new patient admissions (Landi, 2019).

Healthcare systems remain one of the largest targets of hackers, and while ransomware attacks, themselves, do not access private information, instead denying access to information, the potential exists for hackers to jump from denying access to exposing sensitive data if ransoms are not paid.

These data presented by HHS come on the heels of a recent settlement announcement in the state of Ohio between state AIDS Drug Assistance Program (ADAP) clients and CVS Health, the company contracted to provide prescription drug benefits, after a CVS mailer to OHDAP (Ohio’s ADAP program) clients in an envelope that clearly announced clients’ HIV status (Hopkins, 2017). In our August 2017 coverage of this issue, one of the plaintiffs, Eddie Hamilton, head of the ADAP Educational Initiative, shared with us the envelope he received (unredacted) which clearly listed his ID number as: “PM 6402 HIV”.

“In our case, CVS used our Ryan White CAREWare numbers as their subscriber numbers,” Hamilton told me. “It has our birthdates embedded in that URN (Unique Record Number), which is not HIPAA compliant. So, not only was our HIV status on the mailer, but our names, addresses, and birthdates all visible to anyone who looked at the envelope. I do not think that the Health Resources and Services Administration (HRSA) is even aware that those numbers are being used for public consumption.”

The CVS settlement, which has yet to receive approval from a judge, agrees to pay out $4.4 million to settle the class-action lawsuit filed in June 2018 by the roughly 4,500 patients impacted. Under the settlement, each recipient of the mailer would receive a minimum of $400, those who can show they suffered non-financial harm can get as much as $2,500, and those who can prove they suffered financial harm can receive up to $10,000. The lawyers representing the plaintiffs may receive up to $1.46 million – over a third of the overall reward (Anderson, 2019).

Photo Source: UpGuard

The agreement language, itself, include some troubling clauses, such as clause 10.19 which reads:

"10.19 Non-Disparagement. The Parties and their counsel agree that neither the fact that Caremark entered into this Settlement Agreement nor its terms shall at any time, directly or indirectly, be used to disparage Caremark’s administration of OhDAP. For purposes of this Section, the term “disparage” shall mean to make comments or statements that would adversely affect the business or professional reputation of Caremark. Nothing in this Paragraph or any other Paragraph of the Agreement, precludes the Parties or their Counsel from (a) referring to public information about the above-captioned litigation, Settlement, or other publicly available documents; (b) responding to any subpoena, legal process or request for information from any governmental authority; (c) testifying truthfully under oath pursuant to any lawful court order or subpoena; or (d) pursuing any legal right they may have against each other. Nothing in this paragraph or any other paragraph of this Agreement precludes Counsel for Plaintiffs from making statements regarding signatories to this Agreement in the context of pursuing a claim or lawsuit. Nothing in this paragraph or any other paragraph of the Agreement shall be construed to restrict the right to practice in violation of applicable Rules of Professional Conduct."

Non-Disparagement clauses are frequently used as tools to prevent those who agree to settle from going public with their personal stories, particularly in the event that they come to feel that the amount they received in the settlement is not sufficient to cover their injury.

In addition to the Non-Disparagement clause, the settlement includes no admission of guilt – a common practice in settlement agreements. This, to my way of thinking, is unconscionable. CVS’ negligence in this matter had the potential to result in long-lasting impacts, both personally and financially, for those whose statuses were exposed in their mailers. That no party involved in the decision to use “HIV” in the member ID numbers – not OHDAP, not the Ohio Department of Health, and certainly not CVS Caremark – is willing to admit to wrongdoing despite clearly having done wrong is worthy of disparagement.

The reality of living in the 21st Century is that, the further along we go, the more information about us is going to be accessible to others. Data breaches have always occurred and oftentimes, it can be the result of a simple mistake. The question then becomes, “How much security are we willing to sacrifice in the name of expedience?”

Personally, because I’m very vocal and open about my status and personally invite any hacker to try to use my SSN to gain access to credit (best of luck, suckers! The joke’s on you [Marcus goes to cry over his poor credit rating]), as well as the fact that I have a tendency to relocate pretty frequently, I prefer the ease of data mobility. Others, however, are not so open, and for them, the risk of exposure – while, according to the HHS data, is slim – presents a far more daunting choice.

References:

• Anderson, Maia. (2019, September 13). CVS to pay $4.4M settlement over inadvertent HIV disclosure of 4,500 patients. Chicago, IL: Becker’s Healthcare: Becker’s Hospital Review: Pharmacy. Retrieved from: https://www.beckershospitalreview.com/pharmacy/cvs-to-pay-4-4m-settlement-over-inadvertent-hiv-disclosure-of-6-000-patients.html
• Hlavinka, E. (2019, September 23). Health Data Breaches Give Up SSN, Not HIV Status - Just 2% involved sensitive medical information. New York, NY: MedPage Today, LLC: MedPage Today: Public Health & Policy: Practice Management. Retrieved from: https://www.medpagetoday.com/publichealthpolicy/practicemanagement/82332
• Hopkins, M.J. (2017, August 28). HIPAA: Healthcare mailers violate privacy rights of people living with HIV. Washington, DC: Community Access National Network: HEAL Blog. Retrieved from: https://communityaccessnationalnetwork.wordpress.com/2017/08/28/1498/
• Landi, H. (2019, September 23). Wyoming health system hit with ransomware attack, diverts ER patients and cancels services. Framingham, MA: Questex, LLC: Fierce Healthcare: Tech. Retrieved from: https://www.fiercehealthcare.com/tech/campbell-county-health-wyoming-hit-ransomware-attack-diverts-er-patients

Disclaimer: Guest blogs do not necessarily reflect the views of the ADAP Advocacy Association, but rather they provide a neutral platform whereby the author serves to promote open, honest discussion about public health-related issues and updates.