Every Major Pharmacy Chain Is Giving The Government Warrantless Access To Medical Records
from the third-party-doctrine-beats-HIPAA dept
The Fourth Amendment is rarely a match for the Third Party Doctrine. In recent years, things have gotten a wee bit better thanks to a couple of Supreme Court rulings. But the operative principle still overrides: whatever we share (voluntarily or not) with private companies can often be obtained without a warrant.
That’s why bills have been introduced to add Fourth Amendment protections to cell location data gathered by phone apps. That’s why there’s been a constant struggle in courts and in Congress to reconcile the Third Party Doctrine with the Fourth Amendment, given the vast amount of information and data Americans now share with thousands of third parties.
Then there’s the players in the Third Party Doctrine market. There’s the government, which wants as much information as it can obtain without having to subject its actions and motives to judicial scrutiny. And there are the private companies, who figure it’s far more cost effective to just give the government what it wants, rather than challenge government requests for data in court.
The private entities involved here probably have more reason than most to not try to piss the government off. Not only are they still struggling to recover from a widespread retail downturn ignited by a worldwide pandemic, but they’re also paying off large settlements to the government for playing things a bit too fast and loose when it came to handing out opioids to Americans.
As Beth Mole reports for Ars Technica (and following on the heels of the news pharmacy chain Rite Aid is facing a five-year facial recognition tech ban), every major player in the retail pharmacy business has been handing over sensitive medical data to the government without ever demanding to see an actual warrant.
All of the big pharmacy chains in the US hand over sensitive medical records to law enforcement without a warrant—and some will do so without even running the requests by a legal professional, according to a congressional investigation.
[…]
They include the seven largest pharmacy chains in the country: CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores, Inc., The Kroger Company, and Rite Aid Corporation. The lawmakers also spoke with Amazon Pharmacy.
All eight of the pharmacies said they do not require law enforcement to have a warrant prior to sharing private and sensitive medical records, which can include the prescription drugs a person used or uses and their medical conditions. Instead, all the pharmacies hand over such information with nothing more than a subpoena, which can be issued by government agencies and does not require review or approval by a judge.
Three chains (CVS, Kroger, and Rite Aid) all told Congress they don’t even do a legal review of the subpoenas handed to them by government agencies. Instead, they apparently assume that if the government’s name is on it, it must be a valid request. The good news, I suppose, is that the other chains are at least involving their lawyers when it comes to data requests.
HIPAA (Health Insurance Portability and Accountability Act) — the medical record privacy law frequently misunderstood (and mis-acronymed) by laymen, lawyers, and legislators alike — is of no use here. HIPAA only prevents medical information from being released without permission to private parties not specifically authorized to obtain it. Pretty much any request originating from law enforcement agencies is considered to fall under the “if required by law” exception, even if the requests haven’t actually been vetted by pharmacy company lawyers and/or may not be legitimate demands for sensitive medical info.
The “required by law” phrase is important here. Law enforcement agencies have their own legal interpretations of the Third Party Doctrine, but none of that matters much in the case of HIPAA. All it would take to prevent pharmacy chains from handing out this data without a warrant would be the federal Department of Health and Human Services (HHS) taking this out of the Third Party Doctrine’s hands and placing a presumption of privacy on it.
That’s the gist of the letter [PDF] recently sent to HHS Secretary Xavier Becerra by Senator Ron Wyden, Rep. Pramila Jaypal, and Rep. Sara Jacobs. It cites a bit of courtroom and private company precedent to urge this situation along.
We urge HHS to consider further strengthening its HIPAA regulations to more closely align them with Americans’ reasonable expectations of privacy and Constitutional principles. Pharmacies can and should insist on a warrant, and invite law enforcement agencies that insist on demanding patient medical records with solely a subpoena to go to court to enforce that demand. The requirement for a warrant is exactly the approach taken by tech companies to protect customer privacy. In 2010, after just one Federal Court of Appeals held that Americans have a reasonable expectation of privacy in their emails and that the 1986 Congressionally enacted law permitting disclosures of email pursuant to a subpoena was unconstitutional, all of the major free email providers — Google, Yahoo, and Microsoft — started insisting on a warrant before disclosing such data.
Looks pretty simple. All that’s needed is a change of policy, even if there’s no change in law. The problem with this, though, is that the head of the HHS has had plenty of time to change this policy to erect a higher standard for demands for customers’ information. The letter notes the legislators first informed Becerra of this potential issue in July, following the Dobbs decision in June, hoping the HHS would erect more protections to prevent people from being prosecuted for obtaining birth control products.
The following months delivered confirmation of the legislators’ concerns. Now, it’s up to the HHS to move forward. While we wait to see whether a former prosecutor is willing to elevate the privacy of Americans above the warrantless desires of law enforcement, we can at least be somewhat comforted by the fact that some of these companies are going to be a bit more transparent about their cooperation with the government. CVS, Walgreens, and Kroger have all promised to publish periodic reports about government requests for data. Amazon has gone one step further by notifying customers about government demands for their data.
There’s no reason the government shouldn’t need to secure a warrant to obtain this data. It’s protected by federal law against everyone else patients haven’t specifically granted permission to obtain. The government shouldn’t presume the existence of the Third Party Doctrine means customers’ prescription records are an open book. But it does and that needs to change, either through voluntary action or legislative mandate if the government can’t be talked into respecting the privacy of records most Americans likely assume are already covered by federal privacy protections.
Filed Under: 4th amendment, drug records, hipaa, pharmacies, surveillance, third party doctrine
Comments on “Every Major Pharmacy Chain Is Giving The Government Warrantless Access To Medical Records”
And this is why we will never have real data privacy reform.
… as intended, the 4th Amendment has been a very troublesome obstacle to the exercise of plenary government power over the American people
however, all levels of American government have diligently and successfully labored to weaken 4th Amendment rights… by ignoring them or ‘interpreting’ them to be somehow inapplicable as government police power expands to stunning degrees
government courts offer little protection; they routinely interpret government powers broadly and citizen rights narrowly.
SCOTUS has independently amended the 4th Amendment text a dozen times via unconstitutional court “decisions” such as this outrageous 3rd Party Doctrine. .
Anybody here see the fundamental governmental problem in play ??
So what?
Re:
Let me guess, you’re in the “If you have nothing to hide” crowd. You’re obviously a very deep thinker.
This comment has been flagged by the community. Click here to show it.
Re: Re:
Buddy, I’m more concerned about maintaining health insurance that covers the cost of the medicine used to treat my leptin deficiency. I don’t care that CVS gives information about suspected prescription drug-diverters to law enforcement w/o a warrant. Get a fucking grip.
Re: Re: Re:
Do you feel inconvenienced by the 4th amendment? Are there other parts of the constitution that you think the government should ignore also, like the 1st amendment?
Your rights are slowly eroded away and all you can say is “get a grip”.
Re: Re: Re:
“I don’t care that CVS gives my personal information to law enforcement w/o a warrant.”
We know, but thanks for confirming that.
Given how well the stalker did with a protonmail email address and sounding convincing, we can find out who in Congress us taking viagra
Given that personal data is very much personal and generated by the individual, not by the company, and thus is covered by the individual’s personal copyright, I’d say this constitutes one of the occasions where the DMCA applies with a vengeance.
Companies do not generate, thus do not own any individual’s data. They are only stewards of it for specific purposes. And if they act as if they own it, they breach the unwritten contract between the individual and the company, in which case, I or anyone else, becomes entitled to poison the data stored. I mean, some of us are in fact the three-foot marketers who fell out of the space and time warp left by the Heart of Gold starship, and who miraculously survived infinite space before a planet miraculously appeared underneath our feet, and thus are entitled to treat those descended from the pile of fried eggs that equally mysteriously appeared on the Poghril planet, with all the respect they are due – ie, none whatsoever.
A warrant-free search should be treated as and reported on as nothing more than a baseless fishing expedition looking for anything juicy that might be found.
If law enforcement has enough evidence that someone is probably engaging in criminal activities then they should easily have enough to get a warrant, the only reasons to refuse to do so are laziness mixed with contempt towards the rights of the public or naked corruption also mixed with the aforementioned contempt.
Sadly with how broken the legal system is in the US I suspect that this practice will only see significant pushback if someone rich and/or powerful ends up having their medical data grabbed during these fishing expeditions and the cops are stupid enough to make the info public as anything less will be shrugged off as a cost those in the government are willing to (have the public) pay in the War On Crime.
You say that now...
But when your front door is knocked down by drug enforcement and all your belongings get searched and you are handcuffed and placed in holding for 72 hours because your household bought two boxes of Sudefed in a month that your whole family was sick, or you had a different doctor call in a narcotic script, or there a mistake in CVS’ records, or the cops read the records wrong…you’ll see it much differently..
Remember, the cops don’t pickup the costs of the damage they do when they knock down doors or break windows (they are given immunity)…And you’ll spend weeks putting everything away from your drawers and closets that the cops threw all over the floor
“They include the seven largest pharmacy chains in the country: CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores, Inc., The Kroger Company, and Rite Aid Corporation. The lawmakers also spoke with Amazon Pharmacy.”
Thanks for that info. Walgreens Boots Alliance is owned by the same company that owns Boots here in the UK, which itself is causing problems in residential homes by short-delivering prescribed medications. Now I can persuade Priory Group to end the relationship by pointing out that Boots may not necessarily be following the GDPR, given how readily it violates HIPAA.