Investigation Highlights Ease at Which Police Can Access Pharmacy Records
On Monday, three Democratic Senators wrote to the Secretary of the Department of Health and Human Services (HHS) Xavier Becerra to express their concern about pharmacies disclosing prescription records to the police without a warrant.
Sen. Ron Wyden (D-OR) and Reps. Pramila Jayapal (D-WA) and Sara Jacobs (D-CA) launched an investigation following the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, which removed the federal right to an abortion and left it to individual states to set their own laws on abortion. Many states have implemented bans or severe restrictions on abortions, which has resulted in women, and in some cases, children, traveling to more permissive states to receive the reproductive care they need, and there are growing fears that individuals who seek legal reproductive health care out of state may face prosecution in their home state.
The HHS issued guidance on HIPAA and reproductive healthcare following the overturning of Roe v Wade, stressing that while the HIPAA Privacy Rule permits disclosures of PHI to law enforcement, the disclosures are not required by the HIPAA Privacy Rule. It is up to each HIPAA-covered entity to decide whether they provide records to the police.
One of the easiest places to obtain patient records to check who has been prescribed abortion medications is national pharmacy chains, which maintain records for patients no matter which location they visit. The records of the prescriptions of each patient can be accessed from any pharmacy, which means that if a patient in a state where abortion is illegal (e.g. Idaho) crosses the border to get abortion medication legally in a more permissive state (e.g. Oregon), police in the home state can obtain the prescription records because a digital trail is maintained.
But how easy is it to access those records? According to the Senators’ investigation, CVS Health, Kroger, and Rite Aid, allow their staff to hand over pharmacy records in-store. Each of the pharmacy chains confirmed that their staff face extreme pressure to comply with law enforcement requests and they have been instructed to process them on the spot.
The Senators found that the top 8 pharmacy chains, Walgreens Boots Alliance, Amazon Pharmacy, Kroger, Walmart, CVS, Cigna, and Optum Rx, only require a subpoena to provide the records and not a warrant. A subpoena can be issued without a sign-off from a judge, whereas a warrant requires approval from a judge, which means the police must convince the judge that the medical records are essential to the investigation of a crime.
What is not clear is how many requests for medical records have been issued in relation to investigations of individuals seeking abortions. The pharmacy chains confirmed they receive tens of thousands of requests every year to provide medical records to law enforcement, although most are related to civil lawsuits. Only one pharmacy chain, Amazon Pharmacy, said its policy was to notify individuals if there has been a law enforcement request for their medical records and does so unless that action is prevented by law. Most requests for medical records include a gag order, which prevents pharmacies from alerting individuals about disclosures to law enforcement.
The Senators have called for the HHS to make an urgent update to HIPAA to require law enforcement to obtain a warrant or a judge-issued subpoena in order to access medical records and also request that pharmacies proactively notify customers if their records have been requested by law enforcement.
