Medical records have long been given an increased expectation of privacy, something that dates back to before the passage of HIPAA. (See also: Hippocratic Oath.) Consultations with doctors — and the written records resulting from them — have generally been treated as confidential, seeing as they contain potentially embarrassing/damaging information. Personal health information can be reported to law enforcement for many reasons: suspicion of criminal activity on the health entity’s property, suspicion of criminal activity related to an off-site emergency, reporting a death, patients with stabbing/gunshot wounds, or in the case of a serious/immediate threat. Otherwise, HIPAA’s rules for law enforcement say personal information can only be released under the following conditions:
To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or an administrative request from a law enforcement official (the administrative request must include a written statement that the information requested is relevant and material, specific and limited in scope, and de-identified information cannot be used).
The bar is set pretty low and the DEA has been taking advantage of it. Jon Cassidy of Watchdog.org is reporting that the agency is rooting around in medical records in hopes of finding patients or health care providers who might be abusing drugs.
The Drug Enforcement Administration has been sifting through hundreds of supposedly private medical files, looking for Texas doctors and patients to prosecute without the use of warrants.
What the DEA is using instead is a blend of impersonation and administrative permission slips sporting the agency’s own signature.
Instead, the agents are tricking doctors and nurses into thinking they’re with the Texas Medical Board. When that doesn’t work, they’re sending doctors subpoenas demanding medical records without court approval.
How often is this happening? Apparently it’s so close to “all the time” that the DEA doesn’t even have an approximate guess. This is what a DEA spokesperson told the Daily Caller.
“It’s not like there’s ten of them. There’s probably thousands — I know there are thousands,” Matt Barden, spokesman for the DEA, told the Daily Caller News Foundation about the DEA’s use of administrative subpoenas.
Early last year, a federal court in Oregon ruled the DEA could not access the state’s prescription database without a warrant. Unfortunately, this was due to Oregon’s state laws being more restrictive than federal law. A federal judge in Texas reached the opposite conclusion, finding that the DEA’s use of administrative subpoenas complied with both HIPAA and state law. This decision is now headed for the Fifth Circuit Court of Appeals, where it is hoped a finding similar to the decision in Oregon will be the end result. But judging from the laws in place, that outcome is doubtful.
While the DEA’s use of administrative subpoenas appears to comply with HIPAA’s restrictions, its repeated attempts (many of them successful) to access medical records with no paperwork whatsoever seem less likely to stand up to legal scrutiny.
The Dallas-area doctors bringing the lawsuit against the DEA have uncovered plenty of DEA subterfuge. In their case, three DEA agents showed up at their offices with a state medical board investigator. Only the investigator identified herself. The agents remained silent, allowing the nurse to believe they, too, were with the state medical board.
The state medical board may have every right to view medical records without any accompanying paperwork, but that’s because this information falls directly under its purview. The DEA, however, is looking to build criminal cases. This brings with it additional Fourth Amendment considerations and, at the very least, should bind it to the minimal restrictions of HIPAA. Apparently, issuing its own permission slips is still too much work and the delivered paperwork might accidentally restrict it to only certain medical records pertaining to certain people. By impersonating medical board members, agents have unrestricted access to whatever they ask for.
As Watchdog’s Jon Cassidy points out, patients who’d like their privacy respected may want to seek their prescriptions and refills… elsewhere.
The DEA’s practice of avoiding warrant requirements has produced this absurdity: If you have a prescription for Adderall or OxyContin, you might be safer getting your drugs on the street than through your own doctor.
Street dealers, after all, don’t keep patient records, and they’re afforded more constitutional protections than medical practitioners. That is, cops still need a warrant to search them.
While the latter isn’t strictly true in all cases, it’s true enough to show how limited the protections of HIPAA actually are. The more disturbing aspect is that the DEA isn’t even satisfied with near-instant access to a wealth of medical records provided by administrative subpoenas. It apparently only uses the correct paperwork as Plan B, preferring to mislead medical practitioners by allowing them to believe its agents are investigators working for the state medical board.