Prescription Database Privacy Case Heads For Legal Showdown

California Supreme Court will decide whether the state's medical board breached patient privacy when it used data from a state prescription database to discipline a physician.

potential abuses -- by patients or providers, and the board was using it as intended, according to the court. But the database also includes medications that aren't controlled and tells a lot more about consumers than advocates might like to believe, privacy advocates contend.

How far can Medical Boards go?
There are several dangers here, cautioned Ben Fenton, partner at Fenton Law Group, who represents Lewis in the case scheduled for California's highest court next year. Fenton also was the doctor's attorney in the earlier hearing. He says the issue in this case is whether the Medical Board had the authority to search CURES without a warrant or showing of good cause. 

"We want the court to impose some requirements on the government before they're allowed to access this information. There has to be good cause by the investigator ... which justifies the intrusion into the rights of these patients," he said in an interview. "In our case, the complaint related to the doctor had nothing to do with medications or controlled substances. It shows there are no limits as to when the government can access these records or what the government can look at."

Without these safeguards, any investigator can easily look up an individual name -- such as an athlete, celebrity, or politician -- to discern all the prescriptions, both controlled and non-controlled, they're taking and guess their medical conditions, he said. It's also a way for state governments to pry into physicians' ability to practice medicine, using non-medical complaints as the basis of warrantless searches into their prescribing histories, said Fenton. In the initial complaint, Lewis recommended a patient lose weight, something more doctors likely will do. Those patients could angrily report physicians simply for bringing unwelcome messages about diet and exercise, he said.

"Any time a patient complains, a doctor is assumed guilty," said Fenton.  "They have to practice very defensive medicine. The court of appeal took the position that prescription records weren't that sensitive. [Yet] prescription records go to the crux of your medical records."

When investigators looked into Lewis, they contacted two patients who knew nothing of the original case, Fenton said. These individuals each received a letter asking them to release their medical files to the board, he said.

"You're weighing two very important interests: Is the government being [allowed] to do [a] proper investigation when it's called for?" Or are citizens' right to privacy being trampled, said Fenton. "It's not only physician rights. It's not only issues related to IT. It's patient rights. It's consumer rights. It's right to privacy. It's government intrusion. It's really widespread and it's something you see around the country."

Backed by privacy advocates
Already, Fenton Law Group has received amicus support from the California Medical Association, the American Medical Association, and the Electronic Freedom Foundation, and hopes to garner more backers among privacy advocates, Fenton said. In its January amicus brief in support of the writ of mandate Fenton wrote, the California Medical Association said:

  • Confidentiality of medical information is essential to quality care.
  • Prescription records are medical records and should be subject to HIPAA and other privacy rules.
  • CURES does not adequately address patient privacy in prescription records.
  • Information housed within CURES might not be protected by state and federal privacy and security laws.
  • In an age of big data, it's too easy to integrate disparate data sources to determine patients' conditions.
  • Other states' PDMSes have more protections than California's to ensure patient privacy.

"Gathering information in CURES is cheaper and easier in comparison to conventional information gathering techniques used by the Medical Board in the recent past," the California Medical Association's brief said. "It also allows for the Medical Board to proceed surreptitiously, evading the ordinary checks that constrain abusive government practices that violate patient privacy. Furthermore, technology has greatly increased the quantity of information available to the Medical Board and facilitates its ability to correlate data from different sources. Records that once revealed only 'a few scattered tiles of information about a person now reveal an entire mosaic' of a person's medical history. Such intrusions can discourage patients from fully and candidly disclosing their medical history with physicians or seek medical care at all and compromise the ability of physicians to provide quality care."

How does your state handle its prescription database? Who can look up your medications? Let us know in comments.

The owners of electronic health records aren't necessarily the patients. How much control should they have? Get the new Who Owns Patient Data? issue of InformationWeek Healthcare today.

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing