Pharmacies Are Giving Your Prescription Data to Police Without a Warrant
by Anthony W. Accurso
Following a congressional investigation, some lawmakers wrote a letter to the Department of Health and Human Services (“HHS”) about how the eight largest pharmacy chains provide patient prescription information to police without requiring a warrant, and only one regularly notifies customers when it discloses this private data.
Conducting the investigation were Senator Ron Wyden (D-OR), along with representatives Pramila Jayapal (D-WA) and Sarah Jacobs (D-CA). They obtained briefings from the eight major pharmacy chains: CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores Inc., The Kroger Co. Rite Aid Corp., and Amazon Pharmacy. Such a review became more urgent since nearly “one in three women ages 15 to 44 …, a [Washington] Post analysis found, live in states where abortion is fully or mostly banned.”
“[W]e learned that each year law enforcement agencies secretly obtain the prescription records of thousands of Americans without a warrant. In many cases, pharmacies are handing over sensitive medical records without review by a legal professional,” the lawmakers wrote in their letter to HHS.
While five of the companies require internal review by legal professionals prior to releasing data, three companies—CVS, Kroger, and Rite Aid—said that “their staff are instructed to process records requests in-store” because “their staff faced extreme pressure to provide an immediate response.” These three companies have a combined 60,000 locations nationwide.
Amazon is the only company that notifies customers when this data is released, unless it is required not to by a gag order accompanying the request. “Although pharmacies are legally permitted to tell their customers about government demands for their data, most don’t,” wrote the lawmakers. “As a result, many Americans’ prescription records have few meaningful privacy protections, and those protections vary widely depending on which pharmacy they use.”
Under the Health Insurance Portability and Accountability Act (“HIPAA”), it is HHS that “determine[s] the standard of legal process that will govern disclosure of medical records.” In their letter to HHS, the lawmakers wrote that the agency should “strengthen the minimum bar set in the current regulations to require a warrant.”
“We urge HHS to consider further strengthening its HIPAA regulations to more closely align them with Americans’ reasonable expectation of privacy and constitutional principles,” wrote the lawmakers. “Pharmacies can and should insist on a warrant, and invite law enforcement agencies that insist on demanding patient medical records with soleus subpoena to go to court to enforce that demand.”
Some states—such as Louisiana, Montana, and Pennsylvania—offer additional protections for medical data disclosure, though federal law enforcement is not subject to their laws. However, as some women may choose to travel to obtain an abortion in a state where it is legal, state-by-state regulations will fail to provide adequate protections for Americans.
The Office of Civil Rights, under HHS, is considering “new protections banning the use or sharing of protected health data to identify, investigate or prosecute providers and others involved in the provision of legal reproductive health care, including abortion,” according to the HH website.
Tech companies have been dealing with records requests from law enforcement for years and have recently beçen requiring warrants for data such as location tracking records. This change became more pressing as police began submitting thousands of requests per year. It’s important for the pharmacies and HHS to address this issue before the volume of requests for prescription data similarly metastasizes.
Sources: the hill.com, therecord.media, bostonglobe.com
