Prescription Database Privacy Case Heads For Legal Showdown
California Supreme Court will decide whether the state's medical board breached patient privacy when it used data from a state prescription database to discipline a physician.
Mental Health Tools: From Office To Pocket
Mental Health Tools: From Office To Pocket (Click image for larger view and slideshow.)
To combat "doctor shopping," "pill mills," and addiction to medications such as pain and anti-anxiety pills, many states have created databases that track the doctors who prescribe and patients who take these medications. Used by pharmacies and practices to ensure consumers aren't seeing multiple physicians to get controlled substances, these databases also have become a tool for law enforcement -- and at least one medical board's investigative arm.
But could investigators' access to these records, which also include non-controlled medications, jeopardize patient privacy, especially when data segues from deidentified to clearly identified information and patients are called upon to hand over their complete medical records as part of an investigation? How are patients affected? And could the evolving new healthcare model -- which demands more synergies between clinicians and consumers -- be damaged if doctors cannot openly discuss topics such as weight?
California's Supreme Court is expected to address these questions when it hears the case of Dr. Alwin Carl Lewis v. the Superior Court and Medical Board of California in 2015.
[Could users trust a Facebook-backed health community? Read Facebook Health? Thumbs Down.]
At issue: In 2012, Lewis received his second amended accusation in two years based on one patient's complaint about the quality of care she allegedly received from him, in part related to comments the doctor reportedly made about her weight (which he denied).
As part of its investigation into the physician who's known for his "Five Bite Diet," the Medical Board researched Lewis' prescribing history by searching prescription drug monitoring program (PDMP) known as CURES -- the Controlled Substance Utilization Review and Evaluation System -- which electronically captures data on all controlled medications prescribed in the state.
Figure 1: (Source: Dominique Godbout/Flickr)
Covered by HIPAA, the database includes more than 100 million entries of controlled substances dispensed in California and the database responds to more than 60,000 requests from practitioners and pharmacists annually, according to the California Department of Justice, which operates and maintains the PDMP. During the search, the Medical Board homed in on a handful of patients and requested further information on their prescription and medical histories via administrative subpoena, The Recorder reported.
"His disciplinary order and the 26-page accusation information is all the we can share at this time," a Medical Board spokeswoman told InformationWeek. "The CURES system is not operated by us, it is operated by the DOJ. We are currently working to get physicians registered into the system so they can use it as a tool."
An administrative law judge found Lewis engaged in unprofessional conduct by failing to keep adequate records with the first plaintiff. The judge determined Lewis had overprescribed controlled substances for two other patients for a short period; the doctor, however, had not repeatedly overprescribed or given dangerous drugs without a prescription, the Recorder wrote. As a result, Lewis was disciplined and placed on probation for two years.
When they receive controlled substances, patients are -- or should be -- aware they could come under government surveillance, the court argued. The database was designed so healthcare officials could search, in real-time, for
potential abuses -- by patients or providers, and the board was using it as intended, according to the court. But the database also includes medications that aren't controlled and tells a lot more about consumers than advocates might like to believe, privacy advocates contend.
How far can Medical Boards go?
There are several dangers here, cautioned Ben Fenton, partner at Fenton Law Group, who represents Lewis in the case scheduled for California's highest court next year. Fenton also was the doctor's attorney in the earlier hearing. He says the issue in this case is whether the Medical Board had the authority to search CURES without a warrant or showing of good cause.
"We want the court to impose some requirements on the government before they're allowed to access this information. There has to be good cause by the investigator ... which justifies the intrusion into the rights of these patients," he said in an interview. "In our case, the complaint related to the doctor had nothing to do with medications or controlled substances. It shows there are no limits as to when the government can access these records or what the government can look at."
Without these safeguards, any investigator can easily look up an individual name -- such as an athlete, celebrity, or politician -- to discern all the prescriptions, both controlled and non-controlled, they're taking and guess their medical conditions, he said. It's also a way for state governments to pry into physicians' ability to practice medicine, using non-medical complaints as the basis of warrantless searches into their prescribing histories, said Fenton. In the initial complaint, Lewis recommended a patient lose weight, something more doctors likely will do. Those patients could angrily report physicians simply for bringing unwelcome messages about diet and exercise, he said.
"Any time a patient complains, a doctor is assumed guilty," said Fenton. "They have to practice very defensive medicine. The court of appeal took the position that prescription records weren't that sensitive. [Yet] prescription records go to the crux of your medical records."
When investigators looked into Lewis, they contacted two patients who knew nothing of the original case, Fenton said. These individuals each received a letter asking them to release their medical files to the board, he said.
"You're weighing two very important interests: Is the government being [allowed] to do [a] proper investigation when it's called for?" Or are citizens' right to privacy being trampled, said Fenton. "It's not only physician rights. It's not only issues related to IT. It's patient rights. It's consumer rights. It's right to privacy. It's government intrusion. It's really widespread and it's something you see around the country."
Backed by privacy advocates
Already, Fenton Law Group has received amicus support from the California Medical Association, the American Medical Association, and the Electronic Freedom Foundation, and hopes to garner more backers among privacy advocates, Fenton said. In its January amicus brief in support of the writ of mandate Fenton wrote, the California Medical Association said:
Confidentiality of medical information is essential to quality care.
Prescription records are medical records and should be subject to HIPAA and other privacy rules.
CURES does not adequately address patient privacy in prescription records.
Information housed within CURES might not be protected by state and federal privacy and security laws.
In an age of big data, it's too easy to integrate disparate data sources to determine patients' conditions.
Other states' PDMSes have more protections than California's to ensure patient privacy.
"Gathering information in CURES is cheaper and easier in comparison to conventional information gathering techniques used by the Medical Board in the recent past," the California Medical Association's brief said. "It also allows for the Medical Board to proceed surreptitiously, evading the ordinary checks that constrain abusive government practices that violate patient privacy. Furthermore, technology has greatly increased the quantity of information available to the Medical Board and facilitates its ability to correlate data from different sources. Records that once revealed only 'a few scattered tiles of information about a person now reveal an entire mosaic' of a person's medical history. Such intrusions can discourage patients from fully and candidly disclosing their medical history with physicians or seek medical care at all and compromise the ability of physicians to provide quality care."
How does your state handle its prescription database? Who can look up your medications? Let us know in comments.
The owners of electronic health records aren't necessarily the patients. How much control should they have? Get the new Who Owns Patient Data? issue of InformationWeek Healthcare today.
About the Author
You May Also Like
2024 InformationWeek US IT Salary Report
May 29, 20242022 State of ITOps and SecOps
Jun 21, 2022