A Federal Court Says Your Prescription Records Aren’t Really Private. The Supreme Court Might Have Something to Say About That.
When you fill a prescription at your local drug store, you would surely bristle at someone behind you peeking over your shoulder — but in a decision issued last week, a federal court in Utah said that you have no Fourth Amendment right to object when the peeker is the United States government.
You read that correctly: In a case challenging the Drug Enforcement Administration’s warrantless access to patient prescription records stored in a secure state database, the court relied in part on an outdated legal doctrine to rule that a “patient in Utah decides to trust a prescribing physician with health information to facilitate a diagnosis,” and thereby “takes the risk . . . that his or her information will be conveyed to the government.”
That’s hard to swallow — and it helps make very clear the huge stakes of our upcoming Supreme Court argument in United States v. Carpenter, which concerns the role of the so-called “third-party doctrine” in opening up all kinds of sensitive records to warrantless searches by police.
The 1970s-era doctrine says that Fourth Amendment protections afforded to certain kinds of information disappear once people voluntarily provide that information to a third party. The doctrine emerged from a pair of Supreme Court cases, one of which — Smith v. Maryland — involved a robbery suspect who argued that his Fourth Amendment rights had been violated when police recorded the numbers he dialed from his home phone without obtaining a warrant. The Supreme Court ultimately ruled that because his phone calls passed through the phone company, he lacked a reasonable expectation of privacy in the numbers he dialed, and therefore they weren’t protected by the Constitution.
This case (and its close cousin, United States v. Miller, which held there was no reasonable expectation of privacy in certain banking records held by a bank) is still on the books, and the government has leveraged it to acquire powers that were unimaginable four decades ago. Today, police can track not only the phone numbers dialed by a single suspect over a short period, but also collect reams of information about people — whether their sensitive prescription records or data about their every movement over months at a time — without ever asking a judge for a warrant based on probable cause.
That brings us back to Utah. In 1995, the state passed a law establishing a database for prescriptions of certain medications, including those that treat chronic and acute pain, anxiety disorders, gender transitions, and many more medical conditions or procedures. As of last year, the database housed more than 70 million prescription records and was growing by more than 5 million per year. To address the obvious privacy risks in maintaining this kind of database, and in response to a scandal in which a Utah detective downloaded the entire prescription histories of nearly 500 firefighters, in 2015 the Utah legislature amended its law to require law enforcement to obtain a warrant before retrieving this private medical information.
But even though the amendment made clear that sensitive prescription records should be protected by the safeguards of the warrant requirement — including a probable cause finding of criminal activity, an independent assessment by a judge, and a narrow and particular purpose — the federal government simply didn’t care. In June 2015, the DEA issued a subpoena that was never approved by a judge demanding reams of prescription records from Utah’s state database. When Utah said “get a warrant,” the agency went to court to force the state to turn them over.
Last year, the ACLU and the ACLU of Utah intervened in the case on behalf of Equality Utah, an LGBTQ advocacy organization concerned about the privacy of transgender individuals who are prescribed hormones and other medications, and IAFF Local 1696, the union representing Unified Fire Authority firefighters and paramedics who have experienced concrete violations of their prescription privacy in recent years. (We also represent two individual Utahns and the patients and physicians among the ACLU of Utah’s members.)
The ACLU, on behalf of our clients — along with Utah, on behalf of all its residents — argued that the Fourth Amendment required a warrant because people have a reasonable expectation of privacy in their prescription records.
But the court disagreed, deciding that “[p]hysicians and patients do not have a reasonable expectation of privacy in the highly regulated prescription drug industry,” because a patient who gives a doctor private health information takes the risk that her prescribed treatment will be regulated by state law. In other words, because a person gives sensitive information to a third party (here, a doctor and pharmacist!), that person loses an expectation of privacy in that information — the so-called “third-party doctrine.”
While we’ve lost this round in Utah, there’s another on the horizon that may require the court in Utah to reconsider its conclusions. This fall, we’ll be arguing before the Supreme Court in Carpenter that the mere fact that an individual’s private and sensitive records reside with some third party does not, on its own, eliminate the individual’s constitutional right to privacy in those records. In that case, police collected months’ worth of cell phone location information about our client, all without a warrant.
Given how integral cell phones have become to daily life, and the amount of sensitive information they generate about us, it’s simply untenable to argue that the mere act of carrying a cell phone eliminates your Fourth Amendment right against warrantless government access to your most private information. The Carpenter case provides a historic opportunity to ensure that the protections of the Constitution don’t become obsolete in the face of advancing technology. But it’s about more than the privacy of our cell phone location records. It could also provide an opening to give our prescription data and other sensitive records the privacy they deserve. It’s about time.