Declaring a Public Health Emergency Carries Privacy Concerns

The administration is expected today to designate the opioid crisis a public health emergency. But what does that mean for patients’ data?

Leo Beletsky, JD, MPH. Credit: US Department of Health and Human Services livestream.

On the same day that the president is poised to ask the Department of Health and Human Services (HHS) to declare the opioid abuse crisis a public health emergency, HHS is hosting a symposium on privacy in the digital age. The pre-planned opening speech addressed the privacy implications of the opioid crisis—and how that emergency designation could amplify them.

Beginning more than a decade ago, “There was an assumption that we were overprescribing opioids and that they were being diverted,” said Leo Beletsky, JD, MPH, of Northeastern University. “At the same time, there was really a feeling that we were failing people in treatment, so prescription drug monitoring became part of that as well.”

Beletsky called such prescription drug monitoring programs (PDMP) an “essential tool” for the public health fight against drug abuse, but he noted that they came with a “sinister side.” He described them as a type of limited electronic medical record system that tracks people’s prescriptions without context. In most states, that information can be accessed by law enforcement without a court order.

Two states, Oregon and Utah, passed laws requiring warrants. But they recently lost a court battle against the Drug Enforcement Agencies and said they would not appeal.

“All those laws are essentially extinguished, which I think is a notable development and requires fixes,” Beletsky said. Other states, like Kentucky, Wisconsin, and Maine, actually bundle PDMP information with law enforcement information on drug arrests and charges, regardless of whether they result in convictions.

In the context of today’s public health emergency announcement, Beletsky said there has been talk of opening up the PDMP systems more broadly to law enforcement, potentially allowing for warrantless access to patient prescription information nationwide.

The “sinister side” that he alluded to was multifaceted. In the first place, he said, privacy breaches have historically been directed toward the impoverished, disadvantaged, and nonwhite. That stemmed from government and law enforcement inquiries and interventions regarding contraceptive use among those groups in the 20th century.

Another concerning aspect was how people generally don’t know that their data enters such systems when they fill a prescription. That means there is no notification or consent. The “owners” of that data are typically state public health bodies or law enforcement agencies, which often don’t fall under the purview of HIPAA privacy or security regulations.

That came into play recently, in the wake of the Las Vegas shooting, in which a newspaper publisher leaked information on the shooter’s prescription history obtained from Nevada’s PDMP, spurring rampant speculation.

Several news reports expect the president to announce his public health emergency order around 2 p.m.