It might come as a surprise to many in the United States that they may have no Fourth Amendment reasonable expectation of privacy in their physicians’ records when their physicians transfer these records to state agencies under state public health laws. Yet on July 27, the federal district court for the state of Utah said exactly this for records of controlled substance prescriptions—and perhaps for medical records more generally. (United States Department of Justice, Drug Enforcement Administration v. Utah Department of Commerce, 2017 WL 3189868 (D. Utah July 27)). Patients should know that their physicians are required by law to make reports of these prescriptions to state health departments, the court said. Because patients should know about these reports, they have no expectation of privacy in them as far as the Fourth Amendment is concerned. And, so, warrantless searches by the Drug Enforcement Administration (DEA) are constitutionally permissible at least so far as the district of Utah is concerned. Physicians are by law required to make many kinds of reports to state agencies: abuse, various infectious diseases, possible instances of bioterrorism, tumors, abortions, birth defects—and, in most states, controlled substance prescriptions. The Utah court’s reasoning potentially throws into question the extent to which any of these reports may receive Fourth Amendment protection.
Surveys consistently show that people in the U.S. consider medical records to be particularly sensitive. According to a Pew Research Center report authored by Lee Rainie and Maeve Duggan, people have nuanced views about privacy protection and are willing to permit tradeoffs for benefits they believe will be worthwhile. They are especially wary, however, when the information is sensitive and when it will be used for purposes other than those for which it was originally collected. Participants in the Pew study were more likely to trust their physicians with information than others, in part because of the protections accorded medical records by the Health Insurance Portability and Accountability Act (HIPAA).
HIPAA, however, contains a number of exceptions. One of the widest of these permits disclosure of information for public health purposes as required by state law without patient knowledge or consent. Once information has been transferred to public health authorities, it is outside of the protection of HIPAA and subject only to other protections of federal and state law. Information possessed by public health departments may be subject to state freedom of information act requests and then is protected only to the extent that state law restricts disclosure. In one well-known case, a newspaper in southern Illinois sought information about cancer diagnoses in an effort to report on possible cancer clusters related to environmental exposures. Although the state health department objected that the de-identified information might allow individuals to be re-identified, the state court ordered the disclosure pursuant to Illinois law. To the best of my knowledge, no survey data addresses the extent to which patients are aware of this public health exception or the scope of the information that may be required.
In the effort to prevent patients from drug abuse and drug diversion, many states have registries of controlled substance prescriptions, including sleep aids, anti-anxiety drugs, and pain medications. Physicians are expected to report these prescriptions to the registries. Before writing prescriptions, physicians are expected to contact the registries for information about whether their patients have received other prescriptions of similar substances in quantities that might suggest abuse or diversion. The registries are also a way for states to monitor physician prescribing behavior to identify providers who may be over-prescribing and fostering drug abuse. Although many have been in existence for a number of years, these registries are one among many methods now deployed to address the current U.S. situation about opioid abuse.
Utah has a controlled substance data base administered by the state Division of Occupational and Professional Licensing, Utah Code §§ 58-37f-101 et seq. The statute imposes strict limits on who may access the data base. Under a 2015 amendment, federal, state, and local law enforcement officers and prosecutors engaged in an investigation of specific individuals with respect to controlled substances may access the data base if they have a valid search warrant, Utah Code § 58-37f-301(2)(m). This restriction conflicts with the federal Controlled Substances Act (CSA), which permits the Drug Enforcement Administration to issue administrative subpoenas for information relating to individuals suspected of violations of the CSA. According to a report to Congress from the U.S. Department of Justice, administrative subpoenas may be issued by the agency without judicial oversight and without the showing of probable cause that would be required for a warrant.
When the DEA issued an administrative subpoena in connection with an investigation of Utah physicians for violations of the CSA, the state objected that it could not turn over the information without a warrant. The ACLU and the providers in question intervened in support of the state. The Utah district court concluded that under the Supremacy Clause, a proper use of the federal power took priority. This conclusion is not surprising—but the district court went further in response to the state’s argument that the administrative subpoena was not a valid use of the federal power because it violated the Fourth Amendment’s protection of legitimate expectations of privacy.
The court used a two-step test to determine whether the administrative subpoena violated patients’ and providers’ legitimate privacy expectations. The first step was to determine whether medical records, including prescriptions, are ones about which patients and doctors have an expectation of privacy. They do not, the court said, because the pharmaceutical industry is pervasively regulated and thus the expectation is “that the prescription and use of controlled substances will happen under the watchful eye of the federal government.” The second step is whether the expectation is one that society is prepared to recognize as reasonable. This test, too, is failed. The Utah Database Act has a regulatory purpose that parallels that of the federal government; in seeing a physician “a patient takes the risk—in this circumstance, a certainty—that his or her information will be conveyed to the government as required . . .” Finally, “[s]urely there is even less expectation of privacy in records held by a governmental entity, when considering a request by another governmental entity.”
This reasoning is remarkable for its breadth. If regulation of the pharmaceutical industry were sufficient to abrogate reasonable expectations of privacy, there would be no protected privacy expectations in any prescription information in medical records. The court does mention the possibility that its reasoning is limited to controlled substance prescriptions but nowhere does it explain why. Although both the Utah Database Act and the CSA address drug misuse and to that extent have a common purpose, the Utah Act also articulates clear standards for the limitation of access to the data base, Utah Code § 58-37f-301. Many of these limitations apply to transfer of the information among state agencies. Perhaps also of note, the federal Privacy Act also sets careful limits on transfer of information among federal agencies, thus countering the court’s assumption that expectations of privacy wane for transfers among units of government.
Interestingly, the court’s analysis nowhere refers to Whalen v. Roe, 429 U.S. 589 (1977), the Supreme Court’s first and only treatment of the Fourth Amendment’s application to controlled substance data bases. New York had established its computerized data base for controlled substance prescriptions, which collected identifiable patient information. In rejecting a facial constitutional challenge to the data base on Fourth Amendment grounds, the Court reasoned that the stringent security protections in the statute were sufficient to protect individual privacy interests. Reasoning in this way, the Court did not need to hold that there is an actual constitutional right to informational privacy. But it could avoid this question only by analyzing the adequacy of the security protections for the data base, including limitations on access. And the adequacy of the protections given by an administrative subpoena in contrast to the protections given by a search warrant is exactly what the Utah district court failed to address.
Under the court’s order, Utah has 21 days to comply with the subpoena, a shorter time line than the 30 days normally allotted for a notice of appeal by the federal rules of civil procedure. News reports indicate that the state has not yet decided what to do. Whatever the state decides, the standardless and sweeping nature of the court’s reasoning is surely cause for great concern.