When you use Instacart to order prescription medications, the policy contains specific provisions governing how prescription-related personal information is collected, used, and disclosed, separate from standard order data.
This analysis describes what Instacart's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Prescription data is among the most sensitive categories of personal information; the policy's separate treatment of this data category signals distinct handling obligations, but the applicable protections depend on whether Instacart qualifies as a HIPAA-covered entity or business associate in this context.
Interpretive note: The full text of the prescription delivery section was not included in the provided document excerpt; the analysis is based on the section heading and structural references, and the specific handling terms cannot be confirmed from the available text.
The policy separately addresses prescription delivery data, meaning information about your medication orders may be handled under different disclosure and use rules than standard grocery orders; users who order prescriptions through Instacart should review this section to understand how their health-related purchase data is treated.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
Instacart has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Prescription Deliveries (Not Available on Instacart White Labels)— Excerpt from Instacart's Instacart Privacy Policy
REGULATORY LANDSCAPE: Prescription delivery data may engage HIPAA if Instacart functions as a business associate of a covered entity pharmacy. If Instacart is not a covered entity or business associate, prescription data is not protected by HIPAA but may be subject to state health privacy laws including California's Confidentiality of Medical Information Act (CMIA) and similar statutes. The FTC's Health Breach Notification Rule may also apply to personal health records. The FTC and State Attorneys General are the primary enforcement authorities in the non-HIPAA context. GOVERNANCE EXPOSURE: High. Prescription data constitutes sensitive personal information under CPRA and similar state laws, requiring additional use limitations and consumer rights. Mishandling of prescription data creates significant reputational and regulatory risk even absent HIPAA applicability. JURISDICTION FLAGS: California's CMIA imposes strict protections on medical information. Illinois, New York, and other states have enacted health data privacy statutes that may apply. Canadian users' prescription data may be subject to heightened provincial health privacy requirements. CONTRACT AND VENDOR IMPLICATIONS: Pharmacy partners providing prescription data to Instacart should be assessed for business associate agreement requirements. If Instacart receives protected health information from a covered entity pharmacy, a BAA is required under HIPAA regardless of Instacart's own covered entity status. COMPLIANCE CONSIDERATIONS: Legal teams should determine whether Instacart's prescription delivery operations trigger HIPAA business associate status; assess state health privacy law applicability; review data minimization practices for prescription data; and confirm that prescription data is excluded from advertising use cases including the Retail Data program.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Prescription data is among the most sensitive categories of personal information; the policy's separate treatment of this data category signals distinct handling obligations, but the applicable protections depend on whether Instacart qualifies as a HIPAA-covered entity or business associate in this context.
The policy separately addresses prescription delivery data, meaning information about your medication orders may be handled under different disclosure and use rules than standard grocery orders; users who order prescriptions through Instacart should review this section to understand how their health-related purchase data is treated.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Instacart.