Healthcare Information Security

Patient Privacy News

CA Supreme Court Rejects Physician Patient Privacy Claim

The California Supreme Court determined that the state’s medical board can obtain prescription records without a warrant, rejecting a claim of patient privacy violations.

The California Supreme Court ruled that patient privacy was not violated when the state medical board sought data.

Source: Thinkstock

By Elizabeth Snell

- A California physician’s claim that the state medical board committed patient privacy violations when it obtained an individual’s prescription records without a warrant was recently rejected by the California Supreme Court.

The medical board’s actions were justified, even if “accessing prescription records without good cause constitutes a significant intrusion,” the court explained.

However, the court noted that “patients have a legally recognized privacy interest in their prescription records.”

“The fact that the government regulates controlled substances does not eliminate patients‟ reasonable expectation of privacy,” wrote Justice Goodwin Liu. “A pervasive regulatory scheme has less significance when the area being regulated is particularly sensitive.”

The intrusion could also make patients less willing to pursue treatment for substance abuse, for a fear that their information may become compromised. Even so, the court determined that “it does not significantly impair the patient’s ultimate ability to make that choice on his or her own.”

READ MORE: NJ Gov. Seeks Ease in HIPAA Regulations for Opioid Fight

The case stemmed from 2008, when Dr. Alwin Carl Lewis recommended a diet plan for a prospective patient, who reportedly found the proposal “unhealthful” and filed a complaint to the Medical Board. The Board obtained Controlled Substance Utilization Review and Evaluation System (CURES) reports on Lewis.

Lewis “failed to maintain adequate records regarding the patient who had complained about him, and two of his other patients had been over-prescribed controlled substances for a short period of time,” according to the California board. The physician was placed on three years of probation.

Lewis contended that the board violated patient privacy, although he lost his challenge at the trial court and appellate levels.

CURES is California’s prescription drug monitoring program, and requires that every prescription of a Schedule II, III, or IV controlled substance be logged in it. Patient names, addresses, telephone numbers, gender, dates of birth, drug names, quantities, number of refills, and information about the prescribing physician and pharmacy are also included in the database.

Citing state statute, the Supreme Court explained that CURES data “can be provided to ‘appropriate state, local, and federal public agencies for disciplinary, civil, or criminal purposes and to other agencies or entities, as determined by the Department of Justice, for the purpose of educating practitioners and others in lieu of disciplinary, civil, or criminal actions.’”

READ MORE: Calif. Patient Data Sharing Guidance Aids Mental Health Care

Furthermore, the decision maintained that while California could entirely prohibit the use of particular drugs, it has not done so.

“This case is therefore unlike those in which the Court has held that a total prohibition of certain conduct was an impermissible deprivation of liberty,” Lewis wrote, citing a previous case.

“The disclosure of information from CURES may be one consideration affecting a patient’s choice to pursue treatment, but it does not significantly impair the patient’s ultimate ability to make that choice on his or her own,” the decision said. “Because the Board’s actions do not intrude on a fundamental autonomy right, we apply a general balancing test to assess the Board’s actions in this case.”

The Supreme Court also agreed with the state medical board in its argument that implemented safeguards “limit the degree to which patients’ privacy is invaded when the Board examines their prescription records.”

“In view of the considerations above, we find that the balance tips in favor of the Board’s interests in protecting the public from unlawful use and diversion of a particularly dangerous class of prescription drugs and protecting patients from negligent or incompetent physicians,” wrote Lewis.

READ MORE: AMIA Stresses Patient Data Security Concerns in Federal Rule

“Because any potential invasion of privacy caused by the Board’s actions was justified by countervailing interests, we conclude that the Board did not violate article I, section 1 of the California Constitution when it obtained patient prescription records from CURES.”

Healthcare providers need to carefully consider how patient privacy may be affected in certain situations. While HIPAA regulations specify how PHI should be handled in law enforcement investigations, patients have shown increasing hesitation in how their data is shared between providers.

A Black Book survey from earlier this year found that 90 percent of adult consumers were worried that their pharmacy prescription data is being shared beyond their chosen provider and payer to retailers, employers, and or the government without their acknowledgment. 

Ninety-nine percent of those surveyed voiced similar concern with regard to their mental health notes, while 81 percent of those surveyed were worried over their chronic condition data being shared.

The majority of consumers – 89 percent – added that they withheld information from their provider.

"Incomplete medical histories and undisclosed conditions, treatment or medications raises obvious concerns on the reliability and usefulness of patient health data in application of risk based analytics, care plans, modeling, payment reforms, and population health programming," Black Book Managing Partner Doug Brown said in a statement. "This revelation should force cybersecurity solutions to the top of the technology priorities in 2017 to achieve tangible trust in big data dependability."

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks