Every Major Pharmacy Chain Is Giving The Government Warrantless Access To Medical Records
The Fourth Amendment is rarely a match for the Third Party Doctrine. In recent years, things have gotten a wee bit better thanks to a couple of Supreme Court rulings. But the operative principle st…
www.techdirt.com
Every Major Pharmacy Chain Is Giving The Government Warrantless Access To Medical Records
Privacyfrom the third-party-doctrine-beats-HIPAA dept
Thu, Dec 28th 2023 03:36pm - Tim CushingThe Fourth Amendment is rarely a match for the Third Party Doctrine. In recent years, things have gotten a wee bit better thanks to a couple of Supreme Court rulings. But the operative principle still overrides: whatever we share (voluntarily or not) with private companies can often be obtained without a warrant.
That’s why bills have been introduced to add Fourth Amendment protections to cell location data gathered by phone apps. That’s why there’s been a constant struggle in courts and in Congress to reconcile the Third Party Doctrine with the Fourth Amendment, given the vast amount of information and data Americans now share with thousands of third parties.
Then there’s the players in the Third Party Doctrine market. There’s the government, which wants as much information as it can obtain without having to subject its actions and motives to judicial scrutiny. And there are the private companies, who figure it’s far more cost effective to just give the government what it wants, rather than challenge government requests for data in court.
The private entities involved here probably have more reason than most to not try to piss the government off. Not only are they still struggling to recover from a widespread retail downturn ignited by a worldwide pandemic, but they’re also paying off large settlements to the government for playing things a bit too fast and loose when it came to handing out opioids to Americans.
As Beth Mole reports for Ars Technica (and following on the heels of the news pharmacy chain Rite Aid is facing a five-year facial recognition tech ban), every major player in the retail pharmacy business has been handing over sensitive medical data to the government without ever demanding to see an actual warrant.
Three chains (CVS, Kroger, and Rite Aid) all told Congress they don’t even do a legal review of the subpoenas handed to them by government agencies. Instead, they apparently assume that if the government’s name is on it, it must be a valid request. The good news, I suppose, is that the other chains are at least involving their lawyers when it comes to data requests.
HIPAA (Health Insurance Portability and Accountability Act) — the medical record privacy law frequently misunderstood (and mis-acronymed) by laymen, lawyers, and legislators alike — is of no use here. HIPAA only prevents medical information from being released without permission to private parties not specifically authorized to obtain it. Pretty much any request originating from law enforcement agencies is considered to fall under the “if required by law” exception, even if the requests haven’t actually been vetted by pharmacy company lawyers and/or may not be legitimate demands for sensitive medical info.
The “required by law” phrase is important here. Law enforcement agencies have their own legal interpretations of the Third Party Doctrine, but none of that matters much in the case of HIPAA. All it would take to prevent pharmacy chains from handing out this data without a warrant would be the federal Department of Health and Human Services (HHS) taking this out of the Third Party Doctrine’s hands and placing a presumption of privacy on it.
That’s the gist of the letter [PDF] recently sent to HHS Secretary Xavier Becerra by Senator Ron Wyden, Rep. Pramila Jaypal, and Rep. Sara Jacobs. It cites a bit of courtroom and private company precedent to urge this situation along.
Looks pretty simple. All that’s needed is a change of policy, even if there’s no change in law. The problem with this, though, is that the head of the HHS has had plenty of time to change this policy to erect a higher standard for demands for customers’ information. The letter notes the legislators first informed Becerra of this potential issue in July, following the Dobbs decision in June, hoping the HHS would erect more protections to prevent people from being prosecuted for obtaining birth control products.
The following months delivered confirmation of the legislators’ concerns. Now, it’s up to the HHS to move forward. While we wait to see whether a former prosecutor is willing to elevate the privacy of Americans above the warrantless desires of law enforcement, we can at least be somewhat comforted by the fact that some of these companies are going to be a bit more transparent about their cooperation with the government. CVS, Walgreens, and Kroger have all promised to publish periodic reports about government requests for data. Amazon has gone one step further by notifying customers about government demands for their data.
There’s no reason the government shouldn’t need to secure a warrant to obtain this data. It’s protected by federal law against everyone else patients haven’t specifically granted permission to obtain. The government shouldn’t presume the existence of the Third Party Doctrine means customers’ prescription records are an open book. But it does and that needs to change, either through voluntary action or legislative mandate if the government can’t be talked into respecting the privacy of records most Americans likely assume are already covered by federal privacy protections.
Filed Under: 4th amendment, drug records, hipaa, pharmacies, surveillance, third party doctrine