Prescription Monitoring Programs: HIPAA, Cybersecurity and Privacy

By Stephen P. Wood

Privacy, especially as it relates to healthcare and protecting sensitive medical information, is an important issue. The Health Insurance Portability and Accountability Act, better know as HIPAA, is a legislative action that helps to safeguard personal medical information. This protection is afforded to individuals by the Privacy Rule, which dictates who can access an individual’s medical records, and the Security Rule, which ensures that electronic medical records are protected.

Access to someone’s healthcare records by a medical provider typically requires a direct health care-related relationship with the patient in question. For example, if you have a regular doctor, that doctor can access your medical records. Similarly, if you call your doctor’s office off-hours, the covering doctor, whom may have no prior relationship with you, may similarly access these records. The same holds true if you go to the emergency department or see a specialist. No provider should be accessing protected information however, without a medical need.

This is occurring however, with some regularity and not always for medical use. It is happening through a tracking database that goes by various names but is in essence a Prescription Monitoring Program (PMP).

The PMP is a database that provides access to a person’s prescriptive history, usually with regard to DEA scheduled and controlled substances such as opioids and benzodiazepines. Several states have also added other drugs that while not scheduled, do have abuse potential such as gabapentin and pregabalin. Some programs also monitor drugs that while still scheduled, don’t have abuse potential, like testosterone replacement therapy that is often used in gender reassignment.

What is the PMP?

Prescription monitoring programs (PMP) are state-based electronic databases used to track the prescribing of designated controlled substances. The purposes of PMPs are to support access to legitimate medical use of controlled substances as well as to identify, deter or prevent drug abuse and diversion. Currently 49 states, the District of Columbia, and Guam have PMP programs, most of which are either monitored by the Board of Health or Board of Pharmacy.

The purpose of PMPs was to help reduce abuse of and overdose deaths from opioid prescriptions. Data from the Center for Disease Control indicates that in 2016, there were approximately 42,000 deaths attributable to opioids, 40 percent of which were from prescription opioids. There are 250 million prescriptions written annually, enough for one bottle for every American adult. Prescribing is varied and disparate, with the highest prescribing state, Alabama, having three times the number of prescriptions as Hawaii, the lowest prescribing state.

This as all coupled with reports of ever-rising rates of opioid prescriptions, the existence of unscrupulous opioid “pill mill” physicians and the proclivity of patients to “doctor shop,” a term used to describe patients who get prescriptions from multiple sources.

The intent of PMPs was to curb all facets of prescription abuse by allowing providers to look up patients, identify high-risk prescription correlates, ensure good prescribing practices, and possibly to assist in helping patients with substance use disorder towards treatment.

The concept of the PMP has merit. They may help to identify individuals obtaining controlled substances from several sources, aid in identifying patients receiving multiple prescriptions in a short time frame, or for patients on multiple psychotropic agents.

The PMP has been met with some criticism as well. Several states have demonstrated decreased incidences of death from prescription opiates with the enactment of PMPs. Florida for example, reduced rates of death from oxycodone by 25 percent after implementation of their PMP program. This would seem promising but most likely is not; deaths from heroin were up eight-fold and those from fentanyl, five-fold in the same time frame.

The other issue is how well this very sensitive information is protected. Certainly, access to PMPs could do significant harm to individuals if the information is abused in any way. As with any database, there is a risk of unauthorized access, hacking or misuse. While the intent of the PMP is to curb this crippling epidemic, it still requires scrutiny when it comes to privacy and access.

HIPPA and the PMP

Prescription monitoring programs do not specifically fall under HIPPA, but the rules still apply with regard to access of information. Anyone accessing the PMP must be involved in that individual’s patient care. While the PMP itself is not subject to HIPPA, prescribers and dispensers are. Most healthcare providers who access the PMP do so legally and to obtain pertinent medical information. They must ensure that the information they obtain is protected and these records should only be accessed for direct patient care.

There are gray areas, however. One such gray area is that scheduled substances used for the treatment of opioid use disorder, such as buprenorphine, when prescribed by a substance abuse treatment center, should not be reported as dictated by the Federal Confidentiality Rule. Title 42 of the Code of Regulations was instituted to protect individuals seeking substance use treatment from any potentially adverse consequence such as a civil or criminal hearing. There are also other potential non-medical concerns such as access by insurance companies or even employers. Many states do however report buprenorphine and other states have asked for revise this protection so that methadone is also reported.

There is certainly a fine line between privacy and protection. On one hand, a patient’s health information should be protected, especially with regard to non-medical use. On the other hand, knowing whether or not a patient is receiving opioids can be lifesaving. Policy makers will need to consider these issues as PMPs become more prevalent, are accessed by both medical and non-medical individuals as well as how and when this information can be used. There should also be some thinking around what drugs should and should not be reported. Finally, there need to be assurances that the individuals accessing the information actually require access for direct medical care.

Cybersecurity: Are these records safe?

The safety and security of protected and sensitive information is paramount. Prescription monitoring programs contain sensitive information that includes patient names, date of birth, social security numbers, addresses and phone numbers as well as information about prescriptions an individual has received. The consequences of a breach of security can be highly detrimental and potentially harmful to individuals. The PMP must be highly secure to protect individuals from illegally gaining access to this information. In June of 2009 however, a hacker was alleged to have accessed the State of Virginia’s prescription monitoring program, allowing access to 35 million prescription records. While this system was quickly shutdown, it is unclear if there was any impact from this breach. The motive for such an attack is unclear, but analysts suspect that this information could have been used to gain access to refills for illicitly obtaining opioids and benzodiazepines. In theory, this information could also be quite valuable to insurance companies who could deny coverage to individuals deemed at risk.

Hackers have accessed an array of databases including banks, credit card companies, and even FEMA and the FBI have been targeted by hackers with some success. While a credit card number or your bank account can be cancelled and changed, more private information pertaining to your health cannot.

As with any database, policy around security of any PMP requires scrutiny. States need to provide assurances that the systems are secure and need to have systems in place that address any breach of information. Patients and providers should also be notified if there is a breach so that they can take the appropriate steps to protect themselves.

Another protection should allow prescribers to review their own prescribing history to ensure that they have not been subject to misuse of their DEA number. Finally, patients should be able to obtain access, through some formal process, to ensure that the history is truly theirs. His should also include a process for appeal.

Non-medical Use: Are personal rights being violated?

The area that has raised the most questions however, is non-medical use of the PMP. This is where the lines get really blurred. In most states, access to the PMP is afforded not only to medical professionals, but also to law enforcement. Most law enforcement officers and agencies use this information in the right way, to protect individuals and to aid in investigations. Use of the PMP by law enforcement can be valuable. It can help to identify incidences of drug diversion as well as overprescribing.

Certainly, there is a legitimate reason for law enforcement to access these records. Whether or not this should require a warrant however, has been debated. In many states, officers only need probable cause to access the PMP. The ACLU has argued that patients have a right to privacy and that access should require a warrant and in fact a federal judge ruled this to be true. Some states limit access to only certain investigators, while others require training before access is permitted. There are states however that support carte blanche access without a warrant. This is a debate that will likely continue, with strong arguments both pro and con for non-medical access.

The PMP is a novel concept that was launched in an attempt to curb the misuse of prescription drugs. It has good intentions and there have been reports of some success in achieving its primary goal. What is less known is where in lie its faults. There are some harms that have been proposed including shifting use to illicit drugs as well as limiting access for patients in need. Privacy however is another significant issue and it remains unclear if there will be downstream effects of use of this system in his regard. This is especially true when this system is used for non-medical reasons. There are good arguments both for and against PMPs. What will be most important is that policy around PMPs protects patients as well as their privacy while also helping to curb the opioid epidemic. Policy makers will need to utilize evidence-informed data for decisions around access and use in order to best protect people against misuse, intended or not.