A Federal Court Says Your Prescription Records Aren’t Really Private. The Supreme Court Might Have Something to Say About That.

When you fill a prescription at your local drug store, you would surely bristle at someone behind you peeking over your shoulder — but in a decision issued last week, a federal court in Utah said that you have no Fourth Amendment right to object when the peeker is the United States government.

You read that correctly: In a case challenging the Drug Enforcement Administration’s warrantless access to patient prescription records stored in a secure state database, the court relied in part on an outdated legal doctrine to rule that a “patient in Utah decides to trust a prescribing physician with health information to facilitate a diagnosis,” and thereby “takes the risk . . . that his or her information will be conveyed to the government.”

That’s hard to swallow — and it helps make very clear the huge stakes of our upcoming Supreme Court argument in United States v. Carpenter, which concerns the role of the so-called “third-party doctrine” in opening up all kinds of sensitive records to warrantless searches by police.

The 1970s-era doctrine says that Fourth Amendment protections afforded to certain kinds of information disappear once people voluntarily provide that information to a third party. The doctrine emerged from a pair of Supreme Court cases, one of which — Smith v. Maryland — involved a robbery suspect who argued that his Fourth Amendment rights had been violated when police recorded the numbers he dialed from his home phone without obtaining a warrant. The Supreme Court ultimately ruled that because his phone calls passed through the phone company, he lacked a reasonable expectation of privacy in the numbers he dialed, and therefore they weren’t protected by the Constitution.

This case (and its close cousin, United States v. Miller, which held there was no reasonable expectation of privacy in certain banking records held by a bank) is still on the books, and the government has leveraged it to acquire powers that were unimaginable four decades ago. Today, police can track not only the phone numbers dialed by a single suspect over a short period, but also collect reams of information about people — whether their sensitive prescription records or data about their every movement over months at a time — without ever asking a judge for a warrant based on probable cause.

That brings us back to Utah. In 1995, the state passed a law establishing a database for prescriptions of certain medications, including those that treat chronic and acute pain, anxiety disorders, gender transitions, and many more medical conditions or procedures. As of last year, the database housed more than 70 million prescription records and was growing by more than 5 million per year. To address the obvious privacy risks in maintaining this kind of database, and in response to a scandal in which a Utah detective downloaded the entire prescription histories of nearly 500 firefighters, in 2015 the Utah legislature amended its law to require law enforcement to obtain a warrant before retrieving this private medical information.

But even though the amendment made clear that sensitive prescription records should be protected by the safeguards of the warrant requirement — including a probable cause finding of criminal activity, an independent assessment by a judge, and a narrow and particular purpose — the federal government simply didn’t care. In June 2015, the DEA issued a subpoena that was never approved by a judge demanding reams of prescription records from Utah’s state database. When Utah said “get a warrant,” the agency went to court to force the state to turn them over.

Last year, the ACLU and the ACLU of Utah intervened in the case on behalf of Equality Utah, an LGBTQ advocacy organization concerned about the privacy of transgender individuals who are prescribed hormones and other medications, and IAFF Local 1696, the union representing Unified Fire Authority firefighters and paramedics who have experienced concrete violations of their prescription privacy in recent years. (We also represent two individual Utahns and the patients and physicians among the ACLU of Utah’s members.)

The ACLU, on behalf of our clients — along with Utah, on behalf of all its residents — argued that the Fourth Amendment required a warrant because people have a reasonable expectation of privacy in their prescription records.

But the court disagreed, deciding that “[p]hysicians and patients do not have a reasonable expectation of privacy in the highly regulated prescription drug industry,” because a patient who gives a doctor private health information takes the risk that her prescribed treatment will be regulated by state law. In other words, because a person gives sensitive information to a third party (here, a doctor and pharmacist!), that person loses an expectation of privacy in that information — the so-called “third-party doctrine.”

While we’ve lost this round in Utah, there’s another on the horizon that may require the court in Utah to reconsider its conclusions. This fall, we’ll be arguing before the Supreme Court in Carpenter that the mere fact that an individual’s private and sensitive records reside with some third party does not, on its own, eliminate the individual’s constitutional right to privacy in those records. In that case, police collected months’ worth of cell phone location information about our client, all without a warrant.

Given how integral cell phones have become to daily life, and the amount of sensitive information they generate about us, it’s simply untenable to argue that the mere act of carrying a cell phone eliminates your Fourth Amendment right against warrantless government access to your most private information. The Carpenter case provides a historic opportunity to ensure that the protections of the Constitution don’t become obsolete in the face of advancing technology. But it’s about more than the privacy of our cell phone location records. It could also provide an opening to give our prescription data and other sensitive records the privacy they deserve. It’s about time.

View comments (20)
Read the Terms of Use

D DeMore

HIPPA - 1996 covers this. Is the court daft?


HIPAA is not the prevailing legislation. HIPAA only places requirements on specific organizations. I'm not 100 percent sure but based on the article, I suspect the state is not considered a covered entity under HIPAA, and the information is therefore not subject to its protections. That's why it's covered under the third-party argument.


My understanding of HIPAA is that that state should be a covered entity doing business with the pharmacy/hospital/clinic and therefore should be held to the same regulations.

This is why we ...

Never heard of this case, but I am so glad you are out watching over our rights that seem to be eroding away on every front. This is so incredibly stupid it is like the judge/court in this case had never been to law school! So all legal privilege is waived if the lawyer has a paralegal work on your case? That's a 3rd party.


Before HIPPA, the medical practice I managed required a warrant or subpoena before we would release medical records to law enforcement. HIPPA specifically denies patients that protection.


We shouldn't rely so much on HIPPA to keep all our medical information private. When you discuss prescriptions at the pharmacy, with the pharmacist, tech, or cashier, nine times out of ten there's somebody within hearing distance. Same thing when you check in/out at a provider's office. And fuggedaboutit if you end up in the ER with only a curtain between you and the hallway, and every other patient in the same boat. Even worse, as an in-patient without a private room, your roommate(s) and their visiting family and friends is soon going to know more about you than your mother!

No expectation of privacy in the real world.


Then what is the point of HIPPA?

I've not read through the long tiny print but rather trusted the physician and pharmacy when running it down to me that it "just says that you have a right to privacy" and leaving me assuming this meant that my pharmacy and phsycian are bound to requirements of a court order or my signature on a release of information.

What's the point of needing a release of information then?

And another issue I've always wondered about is that when going to pick up a prescription it's always on a small computer pad and whoever is waiting with the filled medication is standing there just rambling off what it basically says while a line of people are waiting behind me.

There is a line the other customers are required to stand behind, why?

And when a person is sick or in pain or both are they expected to stand and read through the HIPPA provided them?

An individual with a dx of say.... MS...
and experiences brain fog is expected to read and comprehend this information?

Refusing to agree to it only prevents medical care or needed pharmecuticals.

So we are essentially being threatened with a painful exsistance and even death in many instances.


HIPAA applies to "covered entities". They are mostly health care providers and health insurers. When covered entities share patient data with third parties, the information is not covered by HIPAA unless the third party is another covered entity.

In this case, the data came into the state database because a state law requires reporting. Most states have similar databases. Any legally required disclosure is allowed by HIPAA. HIPAA restrictions do not follow the data so when a covered entity discloses patient data to a state database, to a researcher, to a public health authority, the data might be subject to some other privacy law in the hands of the recipient, but it is not subject to HIPAA.

HIPAA isn't much help here, but it does partly overturn the third party doctrine in cases when someone uses legal process to demand disclosure of a patient record from a covered entity. HIPAA mostly requires notice to the patient so they can intervene to object. It's similar to, but not quite as useless as, the Right to Financial Privacy Act, a law passed to overturn the Supreme Courts Miller decision. The RFPA gives customers notice of some demands for bank records, but the standard in the Act is so weak that customers have almost no chance of prevailing if they seek to intervene and block a disclosure. Plus the RFPA has a zillion exceptions. So does HIPAA in its own way, but HIPAA mostly allows disclosures rather than compels them.


"So does HIPAA in its own way, but HIPAA mostly allows disclosures rather than compels them."

This is what I've always suspected but assumed it would not ever be subject to someone even asking anyone for it unless a person was suspected of a serious felony that somehow attatched to their medical information.


In creating the 4th Amendment, the Framers of the Constitution essentially declared that: most personal information is NOT the government's business. The Framers never wanted a European style "nanny-state" playing a parental role over us mere peasants. In America the peasants or citizens are the rulers of the government within constitutional boundaries!


Stay Informed