We all thought our phone records and credit card transactions were private. Think again, the feds told us.
But our medical records? That’s sacred ground, right?
Not so much — again, so the feds tell us. Depending on the outcome of a court case, medical records might not be so private anymore.
In the 1970s, the U.S. Supreme Court established the “third-party doctrine,” which holds that information that consumers hand over to third parties (i.e. credit card companies, telephone companies or utility provider) can be accessed by the government relatively easily. Consumers had no reasonable expectation of privacy.
In recent years, the court’s reasoning for the third-party doctrine has come under increased scrutiny as we enter a world where handing over private information to third parties has become necessary to communicate with others and participate in the modern economy.
The state of Oregon, joined by the American Civil Liberties Union, is challenging an application of the third-party doctrine concerning something deeply private to many individuals: medical records. In November, the state filed suit against the DEA, challenging the agency’s claim that under the third-party doctrine it can access a database administered by the Oregon Prescription Drug Monitoring Program without a warrant.
The database was created by lawmakers in 2009 to track prescriptions for an eight-page-long list of medications used to treat anxiety and panic disorders, weight loss associated with AIDS, Attention Deficit Hyperactivity Disorder, the testosterone needed by many transgendered men and others. Lawmakers intended the database to help health care providers better manage patients’ prescriptions and prevent abuses, particularly “doctor shopping.” In order to protect patients’ privacy, they included a provision that required law enforcement to secure a warrant before accessing the database.
However, the DEA is arguing that patients “do not have a constitutionally protected privacy interest” in their prescriptions, similar to their phone records or other documents subject to the third-party doctrine.
In order to get a sense of what’s at stake in the case, Street Roots spoke to Nathan Wessler, a staff attorney with the American Civil Liberties Union, which intervened in the case in January on behalf of patients and a physician residing in Oregon.
Jake Thomas: I want to start with the big question in this case. If the DEA prevails, what will it mean?
Nathan Wessler: It will mean that the DEA will continue its practice of requesting people’s confidential medical records, their prescription records, from Oregon’s monitoring program without a warrant. So that means they will be submitting unilateral requests, administrative subpoenas, to the Oregon program and expect Oregon to send back people’s confidential prescription records. It’s our position that that is a violation of both Oregon law and the Fourth Amendment to the U.S. Constitution.
J.T.: So they’d be getting these records through subpoenas rather than warrants. I was hoping you could explain the difference between the two and why that’s important.
N.W.: Under the Fourth Amendment to the U.S. Constitution, a warrant is required whenever the government wants to conduct a search of information or a place where a person has a reasonable expectation of privacy. For example, that would include a search of someone’s house and, we think, a search of someone’s medical records.
To get a warrant, the government has to go to a neutral judge and demonstrate that they have a probable cause that the subject of an investigation has committed or will commit a crime. And that’s a high standard, and that’s the gold standard under the Constitution.
A subpoena is much different. It’s really trivially easy for the government to issue. Prosecutors or law enforcement can send off administrative subpoenas on their own authority without ever going to a judge and all they need to demonstrate is that the records that they seek are relevant to an ongoing investigation, which is a very low standard and far lower than the probable cause required for a warrant.
J.T.: How do you respond to the DEA’s argument that medical records aren’t private, much like emails or other things subject to the third-party doctrine?
N.W.: Well, I have two responses. The whole concept of the third-party doctrine is really outdated and doesn’t match up with people’s reasonable expectations of privacy in today’s virtual world where virtually all of our communications through email or text messages and other means are digital. When we keep files on the cloud stored digitally, and when very sensitive information like our medical information is contained in digital files that are sent between doctors and pharmacists and pharmacists and state reporting programs, it no longer makes sense that because you’ve shared information with a particular third-party for a particular reason, like your doctor to get medical care, that all of a sudden you’ve consented to the government getting access to the same information.
But even if the third-party doctrine makes sense in some limited context, it still makes no sense when we’re talking about the extraordinarily private category of information that is made up by people’s medical records and their prescription records. Knowing what medications a person has been prescribed will reveal their underlying medical condition and their course of treatment, including really sensitive things like whether a person is HIV positive or has mental illness: issues related to their sexuality or chronic health conditions that are among some of the most private information that any of us have.
J.T.: So you’re saying that there are problems with the third-party doctrine?
N.W.: The case that the Supreme Court decided back in the 70s, which the government relies on now and establishes the third-party doctrine, was decided in a very different era when there was very little or no digital information out there, and maybe then it did make sense that you disclosed some information into a third-party for some reason you had, in effect, recognized that it might be passed on to others.
I think even then it was a dubious proposition, but in today’s world there is no way to participate in the economy or participate in modern life, to get health care, to communicate with friends and family and business partners without using third-party services like email providers. So it just doesn’t comport with people’s expectations of privacy. Just because they are participating in modern life we think that all their information should be accessible to police without a warrant.
J.T.: So what’s the solution? It was established by the Supreme Court. Is the solution a legislative fix?
N.W.: I think that legislative fixes can be appropriate, but there is a limitation in the case that we’re talking about where the state of Oregon tried to make the legislative fix. But now the DEA is coming in and saying, that’s just a matter of state law and we think that federal law preempts that and we can get the records without a warrant.
So if Congress steps in that would be a fix across the country. Courts really have an opportunity to make sure that our understanding of the Fourth Amendment takes account of how people actually live their lives and understand their privacy rights today. So whether it’s in this case or other cases dealing with similar issues, the time has really come for courts to recognize that this notion of the third-party doctrine no longer makes sense and in fact members of the Supreme Court in a case last year involving warrantless GPS tracking by police recognized as much and said that maybe there needs to be a reevaluation of the whole concept now that technology is coming so fast and people need to use the technology to participate in modern life.
J.T.: I read one of the government’s briefs that claimed that even if the DEA finds out about medications being taken by patients it won’t really effect them “adversely, if at all.” It also notes that it has safeguards to protect their names from becoming public. How do you respond?
N.W.: Well, the Fourth Amendment was written into the Bill of Rights by the framers of the Constitution, specifically, to limit the ability of police and law enforcement to rifle through people’s private information and private papers. So disclosure to the public of people’s information once the DEA gets it is a concern. It’s crucial that there are safeguards, but the primary concerns of the Fourth Amendment is preventing police abuses in the first place. So it’s crucial that whatever purpose the DEA thinks it needs this for, that it goes to a judge and prove that it has probable cause to believe that the person it is investigating has broken the law and get a warrant. That’s what the Constitution requires and that’s the only way the judiciary can provide an independent check on police practices and make sure investigations are narrow and limited and protect people’s rights.
J.T.: We’ve been hearing a lot in the news about NSA spying programs. Do you see any link between what the NSA is attempting to do and what the DEA is doing?
N.W.: I think that the way they are similar is that as more and more information and records become digital it becomes very attractive for the government and very easy for the government to get access to astounding quantities of our very private information. So in the case of the NSA, the justification is counter-terrorism or national security. In the case of the DEA program, the justification is trying to prosecute people who are misusing or mis-prescribing prescription drugs, but the fact remains that it is absolutely crucial that for whenever the government is investigating suspected wrongdoing it abides by the Constitution. And so the fact that these records are more easily accessible now that they are in centralized databases shouldn’t excuse the government from having to obey the Fourth Amendment.
J.T.: So this case was in Oregon because the state has strong laws protecting privacy. Could this case have implications for other states or are there similar cases in other states?
N.W.: Oregon is one of 49 states that has a prescription drug monitoring program. States vary in how protective of privacy they are in setting up these programs. And Oregon is one of the most protective. The claim we’re bringing against the DEA applies equally in every state that has one of these drug monitoring databases and the principal is the same: regardless of whether the state requires a warrant or not, the Fourth Amendment of the Constitution does require a warrant across the board.
J.T.: So this could have broad implications for 49 other states?
N.W.: Yeah, we’re bringing this lawsuit in the Federal District Court in Oregon. We have no idea whether it will end up on appeal to the Ninth Circuit. If it does, that covers a number of states in the western U.S., not around the country. If the court recognizes that our position is right, that will set a powerful precedent that other states and other courts can look to when dealing this issue.
J.T.: Did you bring this suit in Oregon because it has privacy laws?
N.W.: The most direct reason is that Oregon’s law does requires a warrant, and the state of Oregon sued the DEA before we got involved, stating that, no, the state of Oregon can’t just turn over these records without a court order because it violates state law. And once we saw that suit, we decided that it was important for us to get involved to represent individual patients and doctors who have prescription records in this state database and are concerned about their privacy rights being violated. So we intervened on behalf of individuals in Oregon and the court permitted us to intervene. So now we’re parties to the case and we are moving ahead with the substantive issues.
J.T.: If I understand correctly, the ACLU is uneasy about the state creating the database in the first place.
N.W.: That’s right. The database is certainly motivated by understandable concerns and the primary purpose of it is to create a public health tool to help doctors see what prescriptions their patients are getting and take action to prevent drug overdoses or drug abuse. However, whenever the government establishes a massive database that accumulates very private information about people, there are very serious privacy concerns. It’s important that there are safeguards to protect the information. That access of the database is limited, and it’s important to make sure that every bit of information that goes in is necessary. So the ACLU continues to have concerns that the database is too broad or the privacy protections aren’t stringent enough.
Oregon vs. the DEA
Under both the U.S. and Oregon constitutions, law enforcement needs a warrant to come into your home to search for evidence of unscrupulous activity. However, the U.S. Drug Enforcement Agency doesn’t think that the same standard applies for your medical records.
In November, the state of Oregon went to court to challenge the DEA’s contention that it doesn’t need a court warrant access a database administered by the Oregon Prescription Drug Monitoring Program (OPDMP), which was established by state lawmakers in 2009 to help health care providers better manage patients’ prescriptions while also preventing overdoses and abuse of drugs.
When lawmakers created the program, they built in a privacy safeguard by making it illegal for law enforcement to access the database without first obtaining a court warrant that demonstrated that there was a probable cause that the snooping would turn up evidence of wrong-doing.
However, the DEA has argued that it can bypass this requirement under the third-party doctrine, an idea developed by the U.S. Supreme Court in the 1970s that reasons that once citizens hand over information to a third party, such as emails sent over a company’s server or electric bills sent to a utility provider, they then have no reasonable expectation that the information will remain private. The DEA argues that prescription records fall under this category and can be obtained by a subpoena rather than a warrant, which requires scrutiny from a judge.
“When we collect data, it’s that much more easy for the government to access it,” says Becky Straus, legislative director the ACLU’s Oregon affiliate. “But it doesn’t mean that we don’t have the same constitutional protections.”
In January, the ACLU joined the case representing four patients and one physician residing in Oregon who have privacy concerns about the DEA accessing records contained in the database without a warrant because they contain such deeply personal information. According to a brief filed by the ACLU, two individuals the organization is representing are transgendered men taking testosterone as part of their transitions from females to males. Another takes medication to treat anxiety and post-traumatic stress disorder.
A brief filed by the U.S. District Attorney argues that while patients and physicians represented by the ACLU may have privacy concerns about the DEA accessing the database, “there is no evidence that this practice has or will effect (them) adversely, if at all.” The brief, filed on behalf of the DEA, also argues that it has the law on its side.
“The Supreme Court has held that a person does not have a constitutionally protected interest in prescription information,” reads the brief, which cites court cases backing up this claim.
According to the most recent report from the OPDMP, which runs from January 2013 through August 2013, 4.8 million prescriptions are contained in the database.
The Oregon Health Authority, which oversees the program, did not have numbers on how many subpoenas it has received from the DEA and how many it has complied with as of press time.
Straus also has other concerns about the OPDMP. In the last legislative session, lawmakers passed a bill that modified the program to collect more information about patients, while also allowing doctors or pharmacists to allow their staff to access the database. Straus worries that the new law will give the program “mission creep,” while also creating new privacy concerns.
“Lower level staff are less likely to have professional licenses or certifications that would hold them accountable to any kind of abuse of the system,” she says.
This article appears in 2013-10-11.