Prescription Monitoring Programs, Patient Privacy & SCOTUS

In a previous post, we discussed how the opiate crisis has been blurring the lines in historic health policy, most recently as it comes to the tenability of taxes and fees on medications. Let’s now put on another pair of glasses and look at health policy through the eyes of law enforcement, particularly as it pertains to the prescription monitoring program, patient privacy, and House Bill 458

House Bill 458 is a short bill. The meat of it is an innocuous strike-through of four words from the prescription monitoring program statute: “by an identified suspect.” Before we jump into exactly why that matters, let’s set a little context.

What’s a prescription monitoring program (PMP, or, in some states, a PDMP – Prescription Drug Monitoring Program)? Simply put, it’s a database of all controlled substances prescribed and dispensed to patients in Delaware. As section 4798 of Title 16 of the Delaware Code states, “It is the intent of the General Assembly that the Delaware Prescription Monitoring Act established pursuant to this section serves as a means to promote public health and welfare and to detect the illegal use of controlled substances. The Delaware Prescription Monitoring Act shall have the dual purpose of reducing misuse and diversion of controlled substances in the State while promoting improved professional practice and patient care.”

As a public health tool, a PMP essentially aggregates all of this information into one place so that prescribers and pharmacists can (and must) look for patients who might be “doctor shopping,” either to feed a personal addiction or to illegally divert (re-sell) controlled substances. It also allows the aggregated data to be examined for prescribing trends as well as outlier prescribers.

In Delaware, our PMP is also used to “assist law enforcement to investigate illegal activity related to the prescribing, dispensing and consumption of controlled substances or drugs of concern.” This goal is accomplished by giving local and federal law enforcement an efficiency in accessing the data.

That efficiency is that unlike approximately one third of states with PMPs, Delaware does not require a warrant, but instead empowers and directs our Secretary of State through the Division of Professional Regulation, which oversees the PMP, to act in a quasi-judicial function and screen all law enforcement requests for data. This puts us in the middle of the pack for patient protections, but arguably the walls around the data retain their integrity by listing out all of the elements that law enforcement would have to show in order to have access to PMP data:

The Office of Controlled Substances may provide data in the prescription monitoring program in the form of a report to…[a] local, state, or federal law-enforcement or prosecutorial official engaged in the administration, investigation, or enforcement of the laws governing controlled substances and who is involved in a bona fide specific drug-related investigation in which a report of suspected criminal activity involving controlled substances by an identified suspect has been made, and provided that such information be relevant and material to such investigation, limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought, and include identifying information only upon a showing of need.  16 Delcode 4798(l)(2)(d)

Keeping things high level, a warrant is essentially a document that shows that a judge agrees that law enforcement has established probable cause to perform a search into otherwise constitutionally protected persons or places. One deeply important piece of these probable cause requirements is particularity. Particularity is what protects against dragnets and fishing expeditions. Essentially, law enforcement must have first identified the person or place they want to search in a way that distinguishes them from the rest of the population. That is why those four words—“by an identified suspect”—are so important.

As a real-world example, in a medical practice or pharmacy, patient information is stored in charts and in electronic health records. Police are not permitted to walk past the front desk, into the medical records room, and begin to read through patient charts to look for evidence of wrongdoing. If they suspect wrongdoing and believe information in a medical record would be helpful to their investigation, they must first get a warrant from a judge and present the warrant to the front desk. Only then may search the particular records of the particular patient.

There are several public policies in play with the PMP: (1) the initial governmental collection of the prescription data on the front end for use inside of the healthcare system, (2) the ability of public health to de-identify and use aggregate data for trends and policy creation, and (3) the accessibility of it for law enforcement on the back end. For an interesting read addressing many of these aspects, particularly law enforcement in the cases of an identified individual, we recommend the California case Lewis v. Superior Court, 3 Cal. 5th 561 (Cal. 2017) and also the Yale Law Information Society Amicus Brief in Oregon PDMP v. DEA. Because of its timeliness in light of a recent US Supreme Court decision and its importance to the legislation at hand, we’re let’s drill down a little on the third piece – the Fourth Amendment and the third party doctrine.

Until a few days ago, it has been generally accepted and held by some courts, such as those in California, that a patient’s Fourth Amendment rights against unreasonable searches do not directly apply to PMPs. Some of the logic has been that the information in the PMP is no longer the patient’s, but the state’s; therefore, the state may define protections as it chooses. That’s how Delaware was able to move the gatekeeper function into the Secretary of State’s purview and out of that of the judiciary.

In that move, Delaware still opted to be incredibly careful with that information, seeing patients in the opiate addiction and diversion context not as criminals, but as patients with a disease. It firmly rejected the premise that law enforcement should be able to pick through the information in order to build their criminal cases. This decision rested at the discretion of the General Assembly. But how much discretion is there now in what protections information in databases like the PMP must have?

A carve out for law enforcement from Fourth Amendment search protections is that if a person voluntarily turned over their protected information to a third party, they no longer had a reasonable expectation of privacy with regard to that information such that law enforcement would need a warrant to access it. Of course, you may notice that already there’s a real question as to the voluntary nature of the patient’s turning over of information to the PMP in the first place. Most patients have no idea that their information is being collected. Those that do only see the health system side of it which is that patients are tracked practice-to-practice to limit doctor shopping. Regardless, it had been clear that states could skirt the Fourth Amendment and use broad discretion to set the level of law enforcement access.

At the end of June, the Supreme Court of the United States decided Carpenter v. United States. Read narrowly, it’s a telecommunications case requiring law enforcement to get a warrant to look at cell phone location records. Read broadly, it’s a warning shot and signal that Fourth Amendment doctrine is adapting with technology and the realities of what (little) control a person actually has over their information. Patients are not choosing that their information is going into the PMP; the government is choosing that it is, regardless of any patient objection. After this morning’s ruling, overseers of databases like a PMP need to take a second look at whether the original data-holders still have a reasonable expectation of privacy with regard to their information from a Constitutional perspective—if they ever did.

With this change in landscape in mind and in the context of House Bill 458, as we close in on the end of the 149th General Assembly Delaware legislators have to decide both if removing the particularity requirement (“by an identified suspect”) from the PMP statute is constitutional, and even if it is, is it in the best interest of Delawareans?

In assessing the latter, the fundamental question to ask here is, “What problem is this trying to fix?”

Allegedly, the underlying issue HB 458 seeks to address, as relayed by the Attorney General, is that the US Department of Justice that operates in our region was investing a homicide. Law enforcement sought the PMP data of the deceased, but because that person was deceased, the DOJ could not satisfy the particularity requirement of the statute as there are no criminal investigations into deceased persons. The proponents of the legislation claim that removing the need for an identified suspect from Delaware state law would mean that USDOJ could access the PMP to look for greater information around the larger circumstances of the death in furtherance of their investigation, as Pennsylvania allows them to do.

Even before the Carpenter decision, Delaware’s proximity to Pennsylvania has been skewing the policy picture. As one can see from this map, Pennsylvania is an odd outlier, dissimilar from virtually every other state. The map doesn’t reflect it, but Pennsylvania made the public policy decision to put its PMP directly within the Attorney General’s office. What this has meant is that their PMP’s public policy balance skews heavily toward it being a law enforcement tool. It also puts Pennsylvania quite squarely at the bottom of the list for protecting patient privacy. If the issue is being framed as “Delaware should be more like its neighboring state of Pennsylvania,” it could just as easily, and frankly more honestly, be framed as “Delaware should be more like its neighboring states of Maryland and New Jersey,” both of which have a judicial process for gaining access to their PMPs.

Regardless, the assertion that removing the particularity requirement would get law enforcement around this step with the Secretary of State and grant it access to the PMP is a classic example of using a cannon to kill a mosquito: it would lower protections for all investigations, not just homicides. Without a need for a person, patient information could be combed through for all kinds of investigations, trampling over individual patient’s expectation of privacy. This is especially concerning because the average patient has no idea that their patient information is being stored in a separate government database in the first place.

Now in theory, Delaware’s Secretary of State can still use his discretion and reject requests that he thinks are too far afield into fishing, from either local or federal law enforcement. Responsible public policy, however, is not created in reliance on the promise of one official who temporarily occupies an important position. Patient rights to privacy should not be eroded based on a “trust me,” no matter who utters it. Just as strong an argument can be made that because the Delaware Secretary of State does not have attorneys of his own, he relies upon attorneys in the AG’s office—that really we are trusting the Attorney General to self-police his own requests. Regardless, statutes must create safeguards and expectations at a system level that are person blind.

Finally, if we are to believe the fact pattern presented and this is not simply a pretense to generally water down patient privacy protections, there are narrower ways to address it which can draw upon patient expectations everywhere in healthcare. That is, while healthcare professionals carry a duty of confidentiality on behalf of their patients, the patients themselves can always freely discuss and disclose their own health information. And while the confidentiality duty survives the patient, there is a hierarchy of persons who can access that information in the event of the patient’s death. The narrowest way to address the homicide issue is to mirror this real-world pathway in our PMP statute. By simply amending the statute to make it clear that next of kin can access the decedent’s PMP information, law enforcement can quickly and efficiently get the narrow information it needs.