Pharmacies have disclosed the prescription records of thousands of patients to law enforcement agencies without a warrant, and the majority of pharmacies do not inform patients when their prescription records are disclosed, according to a recent Congressional inquiry.
The prescription records held by pharmacies are classed as protected health information (PHI) under HIPAA, and as such, there are limits on uses and disclosures under the HIPAA Privacy Rule. The HIPAA Privacy Rule permits disclosures of PHI to law enforcement for certain purposes, such as to comply with a court order or court-ordered warrant, to respond to an administrative request, or to respond to a request for PHI for the purpose of identifying or locating a suspect, fugitive, material witness or missing person, although disclosures must be limited in such cases. These disclosures are permitted but are not required by the HIPAA Privacy Rule.
Pharmacies receive many thousands of requests for copies of PHI, the majority of which are for civil lawsuits; however, following the Supreme Court’s decision that overturned Roe V. Wade and removed the federal right to an abortion, there are fears that states that have introduced bans on abortions may attempt to prosecute state residents that seek abortion care out of state where it is legal, and prescription records provide evidence that an individual has had an abortion.
In July, 47 Members of Congress wrote to Xavier Becerra to urge the HHS to revise regulations to protect the medical records of Americans from warrantless law enforcement agencies’ demands, specifically to protect the privacy of women who seek reproductive care in states where that care can be legally provided. Following on from this, Ron Wyden, United States Senator and Chairman of the Committee on Finance, and Representatives Pramila Jayapal and Sara Jacobs, launched an inquiry into disclosures of PHI by pharmacies. The Senators contacted the nation’s seven largest pharmacy chains – CVS Health, Walgreens Boots Alliance, Cigna, Optum Rx, Walmart Stores, Inc., The Kroger Company, and Rite Aid Corporation – as well as Amazon Pharmacy to find out about their privacy practices with respect to disclosures of prescription records to law enforcement.
Amazon, Cigna, Optum Rx, Walmart, and Walgreens Boots Alliance said they required any request from law enforcement to be reviewed by a legal professional; however, CVS Health, The Kroger Company, and Rite Aid Corporation said their staff face considerable pressure from law enforcement and have been instructed to process these requests in store, although CVS Health and the Kroger Company said their staff is instructed to contact the legal department if unsure about the legality of any such request.
None of the pharmacies have a policy of requiring a warrant in order to share pharmacy records with law enforcement, unless required by state law, and will provide the records if presented with a subpoena. A warrant needs to be signed by a judge who must be convinced that such a request is justified and that there is sufficient evidence of a crime having been committed. A judge does not need to approve a subpoena. Only one pharmacy, Amazon Pharmacy, said it had a policy of informing patients if a request is received by law enforcement for their pharmacy records, unless they have been instructed to keep the disclosure confidential.
If a patient lives in a state where abortion is illegal and travels to a state where abortion care is legal to have that abortion, the drugs prescribed will be present in the patient’s records and could be obtained by law enforcement in their home state without a warrant. The Senators have asked Xavier Becerra to strengthen the HIPAA regulations to more closely align them with Americans’ reasonable expectations of privacy and Constitutional principles. “Pharmacies can and should insist on a warrant, and invite law enforcement agencies that insist on demanding patient medical records with solely a subpoena to go to court to enforce that demand. The requirement for a warrant is exactly the approach taken by tech companies to protect customer privacy,” wrote the senators.