PRIVACY: Government Monitored Pharmacy Database (SB 355) (2009)
For the third time in as many sessions, the Board of Pharmacy introduced legislation, SB 355, to allow the state to create a statewide database to monitor the lawful prescriptions of controlled substance schedules II, III or IV issued to patients in Oregon. The database would cover all codeine-based products, most prescription pain medications and other prescription drugs such as Ambien, Ritalin and Xanax, prescribed to thousands of Oregonians, including children. Proponents expect the database will track more than five million Oregon prescriptions annually.
In addition to the Oregon Board of Pharmacy, the effort to pass SB 355 was led by the Oregon Department of Human Services, Sen. Alan Bates (D-Ashland), Sen. Bill Morrisette (D-Springfield), Sen. Jeff Kruse (R-Roseburg), Rep. Chip Shields (D-Portland), Rep. Jim Thompson (R-Dallas) and Rep. Ron Maurer (R-Grants Pass). They maintain that the database is necessary to deter drug seekers and drug abusers. We believe that the database will violate the medical privacy of hundreds of thousands of Oregonians and the risks outweigh any possible benefits.
The ACLU of Oregon led the effort to oppose this law. We argued that our private and personal medical information should not be the subject of surveillance by the state government and accessed by thousands of pharmacists and health care providers across the state. This law treats all Oregonians as potential drug abusers, in an attempt to ferret out a small percent of those who are inappropriately seeking drugs.
While a number of other states have similar databases, most have been funded by grants from the federal Department of Justice, which includes the Drug Enforcement Administration, the federal government’s law enforcement arm. To date there has been no evidence-based evaluation that these databases successfully solve the problem as proponents claim.
Despite the six-year effort to pass this legislation, BOP’s failure to do the necessary foundational work was identified in May by a Legislative Fiscal Office analysis of SB 355, exposing the significant weaknesses of this program and the lack of a realistic budget, work plan and security safeguards, to name just a few.
For several years, we had been highlighting the potential security risks of pharmacy databases. In April, the Virginia prescription database was breached, exposing over 8 million Virginians to medical identity theft. Even after this incident, proponents continued to assert the breach was only alleged. However, Virginia sent out notices to over half a million Virginians alerting them to the data theft, and the database was off line for more than two months. (As we’ve argued, these databases are particularly attractive for criminals because they put in one place sensitive and valuable information about millions of individuals.)
Despite all of this, led by the efforts of Sen. Bates and Rep. Tina Kotek (D-Portland), SB 355 moved forward and was amended in the Ways & Means Subcommittee on Human Services, turning the program over to the Department of Human Services (instead of the Board of Pharmacy), providing up to $250,000 to do the foundational work over the next six months, authorizing the collection of a $25 pharmacist and provider license fee and most importantly, implementing the law. Since the foundational work has yet to be done, we continue to question why the Legislature would enact the policy, leaving only final fiscal sign-off in February after DHS (a strong proponent of this legislation) puts together a work plan.
While some basic consumer protections were put in place after ACLU identified these obvious vulnerabilities, the final bill authorizes the government to collect our Schedule II, III and IV prescription information, place it in a government run database and allow pharmacists and providers to run a report on every single patient or customer. This overreaching authority allows a pharmacist to access this report even if he or she is selling you eye drops, birth control or any other medication and not a Schedule II, III or IV controlled substance.
SB 355 also allows DHS to decide when to allow this Oregon database to be accessed by other states with similar databases. Just like the proposed nationwide Real ID driver license database, the prescription database could become accessible to thousands of users across the country, none of them accountable to Oregonians.
As the Legislative Fiscal Office stated in its analysis, 60-80% of database breaches are internal. With thousands of pharmacists and providers (in Oregon alone) legally authorized to access your reports (without any notification to the patient), this law will send out an invitation for inappropriate snooping and possible legal misuse. Medical identity theft is widespread, and it only takes a few bad apples for significant damage to be done.
The outcry over SB 355 from our members and activists was unprecedented. We heard from various legislators that they had heard from constituents opposing SB 355. Despite this effort, SB 355 passed at the very end of session.
There were a number of legislators who worked hard to stop SB 355. (See our Scorecard.) We thank them all for their ongoing support to stop SB 355.
ACLU will continue to monitor the planning and implementation by DHS and will raise our concerns again when DHS provides a status report and seeks final authorization from the Legislature in February 2010.
LOSS: PASSED INTO LAW
**Scorecard Vote – Senate & House