Known formally as the Health Insurance Portability and Accountability Act, HIPAA was originally enacted by Congress to guard individuals' private health information from being sold, shared, or otherwise exploited by the medical industry or third parties. HIPAA's Privacy Rule specifically governs how private health information can be accessed and used legally, restricting it in such a way as to allow health providers access only to what they actually need in order to provide reasonable care, while protecting the rest.
You can read a summary of how HIPAA's Privacy Rules affect you here:
But CVS has apparently devised a way to bypass these protections by tricking its customers into signing away their HIPAA protections in exchange for store credits. According to the CVS ExtraCare Rewards signup page, all customers must "sign a HIPAA Authorization to join," a process that CVS fails to explain involves customers completely giving up their right to medical privacy.