Oxford University Press's
Academic Insights for the Thinking World

How private are your prescription records?

Urgent public health crises generate pressures for access to information to protect the public’s health. Identifying patients with contagious conditions and tracing their contacts may seem imperative for serious diseases such as Ebola or SARS. But pressures for information reach far more broadly than the threat of deadly contagion. Such is the situation with the opioid epidemic, at least in Utah, where a federal district court recently determined that patients have no reasonable expectation of privacy in their prescription records, which can be transferred to state agencies under state public health laws.

Patients should know that their physicians are required by law to make reports of these prescriptions to state health departments, the court said. These reports to state agencies can include abuse, various infectious diseases, possible instances of bioterrorism, tumors, abortions, birth defects—and, in most states, controlled substance prescriptions. Because patients should know about these reports, they have no Fourth Amendment expectation of privacy in them. And, so, warrantless searches by the Drug Enforcement Administration (DEA) are constitutionally permissible. The Utah court’s reasoning potentially throws into question the extent to which these reports may receive Fourth Amendment protection.

Surveys consistently show that people in the United States consider medical records particularly sensitive. According to a Pew Research Center report, people have nuanced views about privacy protection and are willing to permit tradeoffs for benefits they believe will be worthwhile. They are especially wary, however, when the information is sensitive and when it will be used for purposes other than those for which it was originally collected.

The US statute protecting the confidentiality of patients’ medical records, HIPAA, has a wide exception that allows disclosure of information for public health purposes without patient knowledge or consent, when required by state law. In the effort to prevent patients from drug abuse and drug diversion, many states have registries of controlled substance prescriptions, including sleep aids, anti-anxiety drugs, and pain medications. Before writing prescriptions, physicians are expected to contact the registries for information about whether their patients have received other prescriptions of similar substances in quantities that might suggest abuse or diversion. The registries are also a way for states to monitor physician prescribing behavior to identify providers who may be over-prescribing and fostering drug abuse. Utah has such a data base but imposes strict limits on how it may be accessed, including a requirement for a valid search warrant for law enforcement officers seeking access.

U.S. Navy photo by Photographer’s Mate 3rd Class Jason T. Poplin. Public domain via Wikimedia Commons.

Utah’s requirement for a warrant conflicts with the federal Controlled Substances Act (CSA), which permits the DEA to issue administrative subpoenas for information relating to individuals suspected of violations of the CSA. According to a US Department of Justice report, administrative subpoenas may be issued by the agency without judicial oversight and without the showing of probable cause that would be required for a warrant. When the DEA subpoenaed the state in connection with an investigation of Utah physicians for violations of the CSA, the state objected that it could not turn over the information without a warrant.

The DEA countered with the Supremacy Clause: valid federal laws are superior to conflicting state laws. Because the conflict was clear, the federal statute would prevail unless its application is constitutionally problematic. The state thought that the warrantless subpoena violated patients’ reasonable expectations of privacy in medical records—and so ran afoul of the Fourth Amendment. But the court disagreed. Patients do not have an expectation of privacy in their prescription records, the court said, because the pharmaceutical industry is pervasively regulated and thus the expectation is “that the prescription and use of controlled substances will happen under the watchful eye of the federal government.” This reasoning is remarkably broad. If regulation of the pharmaceutical industry were sufficient to abrogate reasonable expectations of privacy, there would be no protected privacy expectations in any prescription information in medical records. The court does mention the possibility that its reasoning is limited to controlled substance prescriptions but nowhere does it explain why.

Nor does the court’s analysis refer to Whalen v. Roe (1977), the Supreme Court’s first and only treatment of the Fourth Amendment’s application to controlled substance data bases, in this case the data based established by New York. In rejecting a Fourth Amendment challenge to the data base, the Court reasoned that the stringent security protections in the statute were sufficient to protect individual privacy interests. Reasoning in this way, the Court did not need to hold that there is an actual constitutional right to informational privacy. But it could avoid this question only by analyzing the adequacy of the security protections for the data base, including limitations on access.

Under the court’s order, Utah has 21 days to comply with the subpoena, a shorter time line than the 30 days normally allotted for a notice of appeal by the federal rules of civil procedure. News reports indicate that the state has not yet decided what to do. Whatever the state decides, the standardless and sweeping nature of the court’s reasoning is surely cause for great concern. Opioid abuse is a critical public health problem, but addressing it should not lead to such broad erasure of privacy protections.

Featured image credit: “Cure” by frolicsomepl. CC0 Public Domain via Pixabay.

Recent Comments

There are currently no comments.