Article 6HEZ3 Every Major Pharmacy Chain Is Giving The Government Warrantless Access To Medical Records

Every Major Pharmacy Chain Is Giving The Government Warrantless Access To Medical Records

by
Tim Cushing
from Techdirt on (#6HEZ3)
Story Image

The Fourth Amendment is rarely a match for the Third Party Doctrine. In recent years, things have gotten a wee bit better thanks to a couple of Supreme Court rulings. But the operative principle still overrides: whatever we share (voluntarily or not) with private companies can often be obtained without a warrant.

That's why bills have been introduced to add Fourth Amendment protections to cell location data gathered by phone apps. That's why there's been a constant struggle in courts and in Congress to reconcile the Third Party Doctrine with the Fourth Amendment, given the vast amount of information and data Americans now share with thousands of third parties.

Then there's the players in the Third Party Doctrine market. There's the government, which wants as much information as it can obtain without having to subject its actions and motives to judicial scrutiny. And there are the private companies, who figure it's far more cost effective to just give the government what it wants, rather than challenge government requests for data in court.

The private entities involved here probably have more reason than most to not try to piss the government off. Not only are they still struggling to recover from a widespread retail downturn ignited by a worldwide pandemic, but they're also paying off large settlements to the government for playing things a bit too fast and loose when it came to handing out opioids to Americans.

As Beth Mole reports for Ars Technica (and following on the heels of the news pharmacy chain Rite Aid is facing a five-year facial recognition tech ban), every major player in the retail pharmacy business has been handing over sensitive medical data to the government without ever demanding to see an actual warrant.

All of the big pharmacy chains in the US hand over sensitive medical records to law enforcement without a warrant-and some will do so without even running the requests by a legal professional, according to a congressional investigation.

[...]

They include the seven largest pharmacy chains in the country: CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores, Inc., The Kroger Company, and Rite Aid Corporation. The lawmakers also spoke with Amazon Pharmacy.

All eight of the pharmacies said they do not require law enforcement to have a warrant prior to sharing private and sensitive medical records, which can include the prescription drugs a person used or uses and their medical conditions. Instead, all the pharmacies hand over such information with nothing more than a subpoena, which can be issued by government agencies and does not require review or approval by a judge.

Three chains (CVS, Kroger, and Rite Aid) all told Congress they don't even do a legal review of the subpoenas handed to them by government agencies. Instead, they apparently assume that if the government's name is on it, it must be a valid request. The good news, I suppose, is that the other chains are at least involving their lawyers when it comes to data requests.

HIPAA (Health Insurance Portability and Accountability Act) - the medical record privacy law frequently misunderstood (and mis-acronymed) by laymen, lawyers, and legislators alike - is of no use here. HIPAA only prevents medical information from being released without permission to private parties not specifically authorized to obtain it. Pretty much any request originating from law enforcement agencies is considered to fall under the if required by law" exception, even if the requests haven't actually been vetted by pharmacy company lawyers and/or may not be legitimate demands for sensitive medical info.

The required by law" phrase is important here. Law enforcement agencies have their own legal interpretations of the Third Party Doctrine, but none of that matters much in the case of HIPAA. All it would take to prevent pharmacy chains from handing out this data without a warrant would be the federal Department of Health and Human Services (HHS) taking this out of the Third Party Doctrine's hands and placing a presumption of privacy on it.

That's the gist of the letter [PDF] recently sent to HHS Secretary Xavier Becerra by Senator Ron Wyden, Rep. Pramila Jaypal, and Rep. Sara Jacobs. It cites a bit of courtroom and private company precedent to urge this situation along.

We urge HHS to consider further strengthening its HIPAA regulations to more closely align them with Americans' reasonable expectations of privacy and Constitutional principles. Pharmacies can and should insist on a warrant, and invite law enforcement agencies that insist on demanding patient medical records with solely a subpoena to go to court to enforce that demand. The requirement for a warrant is exactly the approach taken by tech companies to protect customer privacy. In 2010, after just one Federal Court of Appeals held that Americans have a reasonable expectation of privacy in their emails and that the 1986 Congressionally enacted law permitting disclosures of email pursuant to a subpoena was unconstitutional, all of the major free email providers - Google, Yahoo, and Microsoft - started insisting on a warrant before disclosing such data.

Looks pretty simple. All that's needed is a change of policy, even if there's no change in law. The problem with this, though, is that the head of the HHS has had plenty of time to change this policy to erect a higher standard for demands for customers' information. The letter notes the legislators first informed Becerra of this potential issue in July, following the Dobbs decision in June, hoping the HHS would erect more protections to prevent people from being prosecuted for obtaining birth control products.

The following months delivered confirmation of the legislators' concerns. Now, it's up to the HHS to move forward. While we wait to see whether a former prosecutor is willing to elevate the privacy of Americans above the warrantless desires of law enforcement, we can at least be somewhat comforted by the fact that some of these companies are going to be a bit more transparent about their cooperation with the government. CVS, Walgreens, and Kroger have all promised to publish periodic reports about government requests for data. Amazon has gone one step further by notifying customers about government demands for their data.

There's no reason the government shouldn't need to secure a warrant to obtain this data. It's protected by federal law against everyone else patients haven't specifically granted permission to obtain. The government shouldn't presume the existence of the Third Party Doctrine means customers' prescription records are an open book. But it does and that needs to change, either through voluntary action or legislative mandate if the government can't be talked into respecting the privacy of records most Americans likely assume are already covered by federal privacy protections.

External Content
Source RSS or Atom Feed
Feed Location https://www.techdirt.com/techdirt_rss.xml
Feed Title Techdirt
Feed Link https://www.techdirt.com/
Reply 0 comments