Lawsuit time!
posted by Abehammerb Lincoln at 11:21 AM on December 12, 2023 [7 favorites]

So... why? Were they just cooperating with cops because of a misdirected belief in their moral uprightness? Was there a belief that police wouldn't respond to calls from stores that weren't complying with extra-legal requests? Was that stated outright or alluded to by police communications? Was this paid for?
posted by Slackermagee at 11:30 AM on December 12, 2023 [6 favorites]

When fucking Amazon is the industry leader for privacy protection, that is really saying something, although they're still not great in absolute terms.
posted by jedicus at 11:43 AM on December 12, 2023 [13 favorites]

It's wild how many healthcare-adjacent people love to police ill and disabled people.
posted by smirkette at 11:47 AM on December 12, 2023 [22 favorites]

Women are likely targets of this, especially in states that have taken abortion rights away.
posted by They sucked his brains out! at 11:53 AM on December 12, 2023 [35 favorites]

Key paragraph:

Because the chains often share records across all locations, a pharmacy in one state can access a person’s medical history from states with more-restrictive laws. Carly Zubrzycki, an associate professor at the University of Connecticut law school, wrote last year that this could link a person’s out-of-state medical care via a “digital trail” back to their home state.
posted by gimonca at 11:58 AM on December 12, 2023 [19 favorites]

If you're going to evaluate whether a warrant is valid and minimize the scope of the data that needs to be turned over you typically want some fairly expensive experts so if it goes to court you have a leg to stand on. But if you just give the cops whatever they want and never tell your customers you did it, it's actually pretty cheap to comply with legal process requests
posted by potrzebie at 12:01 PM on December 12, 2023 [12 favorites]

When I worked at giant unnamed corporation with locations all over the world, the local authorities could come in and demand anything at anytime. And our directions were: be polite, say nothing, here’s how you contact the company lawyers.
posted by Abehammerb Lincoln at 12:17 PM on December 12, 2023 [10 favorites]

The letter regarding the congressional inquiry is helpful in clarifying exactly what’s going on:

All of the pharmacies surveyed stated that they do not require a warrant prior to sharing pharmacy records with law enforcement agents, unless there is a state law that dictates otherwise. Those pharmacies will turn medical records over in response to a mere subpoena, which often do not have to be reviewed or signed by a judge prior to being issued. To justify this low standard of protection, several pharmacies cited language in HHS regulations that allow healthcare providers to disclose such records if it is required by law, pursuant to legal process, or pursuant to an administrative request. HIPAA gives discretion to HHS via regulation to determine the standard of legal process that will govern disclosure of medical records, which means HHS can revisit and strengthen the minimum bar set in the current regulations to require a warrant.

So my interpretation here is that the companies are using HHS regulations as justification for doing the bare minimum due diligence legally required. To speculate, this is probably partly to reduce costs, and probably partly to reduce friction when interacting with law enforcement agencies: They can point to a regulation to specify exactly what is needed to get the data, and not have to be in a situation where they’re arguing with angry cops or prosecutors.

The letter goes on to call on HHS to change the regulation to raise the minimum bar for handing over data.
posted by learning from frequent failure at 12:30 PM on December 12, 2023 [11 favorites]

Yikes, I worked not that long ago for a major communications company that's had a history of being government friendly (to put it mildly) and they had more stringent guidelines than this.
posted by drewbage1847 at 12:43 PM on December 12, 2023 [1 favorite]

When fucking Amazon is the industry leader for privacy protection, that is really saying something, although they're still not great in absolute terms.

The trade-off for privacy, security, etc is that a) big tech corps will be untrustworthy, but are forced to do /something/ thanks to years of lawsuits and consent decrees, and b) small corps will do nothing, and you won't know it until there's a breach. The only saving grace of small-corps is that they are typically going to be too small to bother with - but you're basically looking at security-through-obscurity, which ain't great.

The non-tech big-corps are probably the worst of both worlds... Haven't been forced to behave reasonably, but are also operating at-scale, making them great targets.
posted by kaibutsu at 12:46 PM on December 12, 2023

Officials with CVS, Kroger and Rite Aid said they instruct their pharmacy staff members to process law enforcement requests on the spot, saying the staff members face “extreme pressure to immediately respond,” the lawmakers’ letter said.

Sounds like the same advice they give for armed robberies.
posted by credulous at 12:47 PM on December 12, 2023 [53 favorites]

Sounds like the same advice they give for armed robberies.

Not a coincidence.
posted by potrzebie at 1:00 PM on December 12, 2023 [14 favorites]

Yikes, I worked not that long ago for a major communications company that's had a history of being government friendly (to put it mildly) and they had more stringent guidelines than this.

Because your "major communications company" had to follow a law passed in 1996 that laid out exactly the process involved, including the legal and civil penalties that would be handed down if your "major communications company" didn't hand over the data in 48 hours or less. Your "major communications company" also had entire departments and technical staff dedicated to providing this data because that's the only way your General Counsel didn't get sent to prison for fucking up the 48 hour deadline.

But, CVS and friends have a law (coincidentally also passed in 1996) that does not lay out exactly the process involved. Is a subpoena required? Or a warrant? Who knows! But your "major communications company" knew, because their law said what was needed (a warrant). What was the timeline on returning the data? Right now? 24 hours? 48 hours? Who knows! However, your "major communications company" knew (48 hours).
posted by Back At It Again At Krispy Kreme at 1:25 PM on December 12, 2023 [5 favorites]

“It’s unclear how many were related to law enforcement demands, or how many requests were fulfilled.”
Much reporting. Why can’t the WaPo actually find out what’s going on?
posted by Ideefixe at 1:49 PM on December 12, 2023 [2 favorites]

Absolutely - I always try and remind my "no regulations are the best regulations" friends that if shit isn't spelled out, someone is going to find a way to do the least work or worst work. Having it be explicit would make life more predictable at least, like at my former "major communications company".

The thought of the police just being able to get their hands on anyone's pharmacy records with a wave of a greased pencil is nauseating. (And of course they pull the trick of reaching out via other state's agencies to bypass local restrictions)
posted by drewbage1847 at 1:52 PM on December 12, 2023 [6 favorites]

Those pharmacies will turn medical records over in response to a mere subpoena.

Can a knowledgeable person explain who can, and who is likely to, issue subpoenas for medical records? I didn't get any sense of that from the article or the Congressional letter.
posted by Mr.Know-it-some at 2:02 PM on December 12, 2023 [2 favorites]

That's the fix! Giving even quasi-medical* info to non medical people has always worked out great! Giving more power to the police has been what has helped society so much.

Joking aside, I take a scheduled controlled substance under prescription.

It's tough enough dealing with the bureaucracy and bullshit psuedo-shaming from the docs, admins, and the pharmacy? Now I gotta worry if the police are accessing my prescription records if I get pulled over? I'm not %100 sure that my little safety fallback med supply I keep in my car is even legal to be driving with.

And that's just me, at least I'm not taking any pain meds other than OTC right now, but I'll wager that that's the real cudgel they're looking for. Maybe I should get scripts filled at the hospital now, at least you'd think they would at least have some idea of confidentiality. If it's strictly opt-in I wouldn't have such a massive issue with it, but you know it won't be.

*TBH it's pharmacy records, it's not like they can tell why you are given any particular drug, but I don't think that is going to stop anyone at all.
posted by Sphinx at 2:30 PM on December 12, 2023 [2 favorites]

What the actual Fuck? How is this legal?
posted by theora55 at 2:46 PM on December 12, 2023

FYI HIPAA has a carve out for law enforcement ¯\_(ツ)_/¯
posted by latkes at 3:29 PM on December 12, 2023 [11 favorites]

whistling Dixie on the way to Gilead
posted by hototogisu at 4:18 PM on December 12, 2023 [1 favorite]

This is especially scary with the way being trans is increasingly criminalized; not everyone on hormones is trans and not every trans person is (or wants to be) on hormones but I'm thinking about the cops showing up to a pharmacy and demanding a list of everyone who has a prescription for hormones and it's terrifying. I wrote up and deleted a whole thing about police enforcement of bigoted laws and similar and deleted it because I don't have the emotional energy to be measured and thoughtful about something so immediately terrifying but this is scary, law enforcement is scary, and I am scared.
posted by an octopus IRL at 6:47 PM on December 12, 2023 [22 favorites]

There's an easy fix. Find a sympathetic cop, get them to subpoena the pharmaceutical records for all of congress and all presidential candidates. This shit will be illegal in weeks of that happened and was publicized.
posted by Hactar at 12:47 AM on December 13, 2023 [8 favorites]

Mr. Know-it-some asked who is likely to subpoena pharmacy records. It's routine in civil personal injury lawsuits to subpoena medical and pharmacy records for the parties claiming injuries. (That process includes advance notice, and an opportunity to seek court intervention to protect the records.)
posted by mersen at 3:22 AM on December 13, 2023 [6 favorites]

Find a sympathetic cop

This year’s “assume a spherical cow.”
posted by aspersioncast at 7:48 AM on December 13, 2023 [4 favorites]

Erm I think you have to get a subpoena for a specific person, not everyone taking a specific med. And cops can't access pharmacy databases from their cars.

And I'm pretty sure cops don't make up their own subpoenas. Those come from attorneys via the court, right?
posted by Baethan at 5:47 AM on December 14, 2023