> To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena.

Emphasis mine.

From the article:

> Instead, all the pharmacies hand over such information with nothing more than a subpoena, which can be issued by government agencies and does not require review or approval by a judge.

Emphasis also mine.

Police officers are not considered judicial officers, though they are officers of the court.

"Judicial officers are typically categorized as judges, magistrates, puisne judicial officers such as justices of the peace or officers of courts of limited jurisdiction; and notaries public and commissioners of oaths. The powers of judicial officers vary and are usually limited to a certain jurisdiction."

It seems to me that there's an extrapolation here that is not covered by HIPAA. HIPAA only refers to subpoenas issued by or reviewed by judicial officers, not a blanket allowance.

The provision that pharmacies are using is, I believe, this one:

> To respond to an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that: the information sought is relevant and material to a legitimate law enforcement inquiry; the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought, and de-identified information could not reasonably be used (45 CFR 164.512(f)(1)(ii)(C)).

> the information sought is relevant and material to a legitimate law enforcement inquiry

Your average PharmTech at CVS isn't assessing the legitimacy of the inquiry or its relevancy, but is instead blindly acquiescing (or being told to do so).

The other part that is a problem is the use of "and":

> and de-identified information

There's no de-identified information in "Show me all the prescriptions you filled for Mr XYZ."

But what there is is enough plausible deniability for the corporations to say they were following their interpretation of the law.

Something like "I'm a police officer with ABC department, and I need to know which drugs Mr. XYZ has purchased between [x] and [y] in regards to a criminal drug trafficking investigation I am investigating" seems to satisfy all of the requirements.

* "administrative request": the officer is asking

* "the information sought is relevant and material to a legitimate law enforcement inquiry": they are real police, and they are investigating a crime regarding this person and these drugs.

* "the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought": It is about Mr XYZ, and it is about drugs he purchased, the crime being investigated is about the same.

* "and de-identified information could not reasonably be used": because it is specifically about Mr XYZ