Behind The Scenes: The Mobile Prescription Alert Ideas That Winn-Dixie Rejected

Offering to alert pharmacy customers to prescriptions that are about to expire would be a terrific idea, were it not for privacy restrictions imposed by the U.S. Health Insurance Portability and Accountability Act (HIPAA). That's something Walgreens learned the hard way last month. Winn-Dixie, the $7 billion regional grocery chain, tackled the same issue and debated and ultimately rejected several tech approaches.

With so many chains offering pharmacy services, the debates provide a glimpse into how mobile strategies can slam into privacy rules and, sometimes, technology simply can't get around that.

Tim Bell is the director for pharmacy managed care and systems at the 460-store chain operating in Florida, Alabama, Louisiana, Georgia and Mississippi. Bell said the issue is that the best approach for sending a quick alert (such as "Your Prescription for Lipitor is due for renewing. Should we renew?") and accepting ("Renew") is the least secure: text messaging. But because of the absence of any encryption, no drug names can be used.

One option Bell's team explored was using the prescription number instead of the name. "We had a lot of discussion about the RX number," he said.

If the message was intercepted, no privacy would be violated, because it would have no meaning to anyone who didn't already have access to the drugs or to the pharmacy's database. (If the bad guy already had access to the pharmacy's database, an intercepted text would be the least of Winn-Dixie's worries.)

The downside is that it wouldn't likely have much meaning to the customer, either, unless he/she was either standing by the medication at the time, had access to the Web to log into his/her account and look it up or somehow had it memorized. (If the patient's memory is that good, he/she probably doesn't need the reminder to renew.)

But there was fear that it could backfire.But there was fear that it could backfire. Even though providing a number is better than providing nothing, the fear was that some customers might get irritated and frustrated by being told a number and not a name. Once customers are aggravated that way, telling them that it's a government rule isn't likely to make them happy. The RX number plan was abandoned.

Another discussion involved allowing customers to download the full Winn-Dixie mobile app, which provides secure access to the patient's full records. If customers have the full app, why would they need the text alerts? The answer is that the text is so much faster and easier, and it would serve as a reminder to check the full app. That full app would then display the full prescription numbers, to decode the text alert.

That still didn't support the argument for using the RX numbers, though. A generic text alert ("You have a prescription that needs refilling") would also remind someone to use the app, and it would not force the customer to look up any numbers. The app would visually flag anything needing renewal, making the number irrelevant and needlessly time-consuming.

Yet another option that Winn-Dixie's mobile vendor (mscripts) investigated for the chain was to deploy secure text messaging. But that also didn't pan out, said mscripts CEO Mark Cullen. "It required too much software to download on the phone" to handle the encryption/decryption functions and "there's no standard for it yet," so it wasn't clear whether it would be viable for other chains, Cullen said. And when the standard is agreed on, everything would have to change anyway.

Another option considered was a way to narrowly avoid the HIPAA rules. Technically, customers can text the names of the drugs to themselves, so Winn-Dixie tried setting up a system to make it easy for customers to create calendar reminders so they could in effect remind themselves.

The chain also decided to give customers the ability to save their password on the phone. This, of course, raises the risk that if the phone is lost or stolen, anyone in possession of the phone could access everything. "We have enabled [the password remembering function], but we leave that choice to the guest," Bell said.

The chain ended up using push notifications from the mobile app, which can issue the alerts from a secure environment. It's not as simple as a text, but it's secure and it works cleanly.