Suffolk University Law Review

advertisement
COMMENTS
Are You Taking Any Prescription
Medication?: A Case Comment on
Weld v. CVS Pharmacy, Inc.
I. INTRODUCTION
Every day millions of individuals volunteer personal information in
order to receive the benefits of health care, insurance protection,
employment, driver’s licenses and consumer credit services. 1 Many of
them rarely question who can access this information or for what purpose
it is ultimately used.2 However, today’s rapidly changing computer
technology has created a mixture of advantages and disadvantages for
these individuals.3 The new technology allows organizations to operate
more productively and efficiently than ever before. 4 Unfortunately, these
improvements often result in “dramatically increased . . . volume and
detail of information gathering, maintenance, storage and dissemination”
of an individual’s personal data.5 This intensified record keeping has
made Americans “the most scrutinized, measured, counted and
interrogated people in the world,” 6 and has inevitably raised questions
regarding the access to, and confidentiality of, this stored information.
Due to the highly sensitive nature of health care data, the medical field
frequently struggles with issues of confidentiality and disclosure of patient
information.7 “Proponents of a computerized medical record have always
1.
See SPECIAL LEGIS. COMM’ N ON PRIVACY, REPORT OF THE LEGIS.
COMM’ N ON PRIVACY, H.R. DOC. NO. 5417 (1975), available in Massachusetts
Legislative Documents, H. 5417, Vol. 13, at 10 (1975).
2.
See id. Generally, people assume that the collection of some personal
information is necessary to living in a complex society. See id. This is especially
true where individuals demand “extensive goods and services from private
business and industry,” and “expect a high level of social and public services from
the government.” Id. at 10-11.
3.
See id. at 14.
4.
See id. at 14-15.
5.
Id. at 13.
6.
Id.
7.
See Terri Finkbine Arnold, Let Technology Counteract Technology: Protecting the Medical Record in the Computer Age, 15 HASTINGS COMM. & ENT. L.J.
455, 457 (1993). “[A] medical record ‘may contain more intimate details about an
909
910
NEW ENGLAND LAW REVIEW
[Vol. 35:4
been concerned with the problem of protecting sensitive patient
information from accidental or intentional disclosure.” 8 In considering the
effect of the electronic age on confidentiality, one expert “believes that the
new information technologies offer ‘tremendous opportunities,’ but they
also create ‘new legal and ethical issues.’” 9
This Comment will examine whether an individual’s privacy is invaded
when private pharmacies disclose or use the customer prescription
information in their databases to assist other private organizations with
implementation of various marketing activities. 10 This issue has already
surfaced in Massachusetts in the case of Weld v. CVS Pharmacy, Inc.11
This case, which has not yet been to trial, confirms that there is a gap in
the law that must now be addressed to ensure that individual pharmacy
records are not accessed by private companies without the informed
consent of patients. The novel issue presented in Weld v. CVS will be
used to shape the discussion and analysis throughout this Comment which
will explain the state of the law with regard to medical record privacy.
The discussion will focus mainly on an individual’s right to privacy
under the laws of Massachusetts with some comparison of the privacy
laws of other jurisdictions.12 There will also be some discussion of federal
privacy protections.13 Whether Massachusetts and other jurisdictions
should recognize a pharmacist-patient privilege will also be considered. 14
These issues regarding the confidentiality of pharmacy records are
individual than could be found in any single document,’ [and] . . . is the primary
source of information relating to every facet of health care, including medical
history, clinical treatment, and administrative and financial resources.” Id. (quoting PRIVACY PROTECTION STUDY COMMISSION, PERSONAL PRIVACY IN AN
INFORMATION SOCIETY 282 (1977)) (quoting testimony from Medical Records
Hearings, June 10, 1976, at 137).
8.
Id.
9.
Val Cardinale, Invasion of Privacy: Keeping Rx Records Confidential: A
Lost Cause?, DRUG TOPICS, Apr. 8, 1996, Vol. 140, No. 7, at 107.
10. See generally Weld v. CVS Pharmacy, Inc., 10 Mass. L. Rptr. No. 10,
217 (1999), available in No. 98-0897F, 1999 Mass. Super. LEXIS 261, at *3 (June
1, 1999). In general, Weld describes how pharmacies sometimes use their
prescription databases to create targeted mailing lists for drug manufacturers based
on the prescriptions filled by pharmacy customers. Armed with this information
the drug manufacturer sends a mailing to the targeted individuals recomm ending
additional or alternative medications, presumably manufactured by them, that may
complement those already being taken or that may relieve other ailments likely to
be suffered by those taking the particular prescription targeted. For more on CVS
Weld v. CVS Pharmacy, Inc., see discussion infra Part II.
11. No. 98-0897F, 1999 Mass. Super. LEXIS 261, at *3 (June 1, 1999).
12. See infra notes 146-95 and accompanying text.
13. See infra notes 237-315 and accompanying text.
14. See infra notes 408-30 and accompanying text.
2001]
WELD V. CVS PHARMACY, INC.
911
critically important for several reasons.15 “American society places a high
value on individual rights, autonomous decision making, and the
protection of the private sphere from governmental or other intrusion.”16
Unfortunately, there are indications “that Americans do not feel that their
privacy rights in health care information are adequately protected.” 17 This
is a problem because several negative consequences result from healthcare
information which is not afforded adequate protection.18 For example, if a
patient’s healthcare information is misused or publicized, both social and
psychological harm may ensue.19 There is also potential for the patient to
suffer economic harm, if the unauthorized disclosure results in a loss of a
job, insurance, or shelter. 20 If these disclosures remain unregulated,
patients will ultimately relinquish their right to decide who may access
their medical information.21
See infra notes 16-26 and accompanying text.
Lawrence O. Gostin, Health Information Privacy, 80 CORNELL L. REV.
451, 453 (1995) (footnote omitted).
17. Grace-Marie Mowery, Comment, A Patient’s Right of Privacy in
Computerized Pharmacy Records, 66 U. CIN. L. REV. 697, 727 (1998) (citing Louis
Harris and Assoc., Health Information Privacy Survey 22 (1993)). For example,
one poll indicated that 80% of those surveyed felt that consumers’ personal
information is disseminated and used without regard to consumer choice of how
the information is actually used. See id. at 727 n.283.
18. See Mowery, supra note 17, at 728. The following are some examples of
the documented abuses of sensitive patient information:
15.
16.
(1) disclosure that an employee . . . was an alcoholic; (2) sale of
abortion patient names to anti-abortion organizations; (3) extortion
based on knowledge that a patient was treated for venereal disease; (4)
informing an employer of an employee’s mental status; (5) disallowance
of health insurance eligibility based on an unconfirmed cancer
diagnoses; [and] (6) an employer requesting a list of HIV -infected
employees from his insurer in order to fire them.
Arnold, supra note 7, at 464.
19. See Mowery, supra note 17, at 728. A man who runs a support group for
individuals suffering from manic-depression, speaks openly about his own
suffering, but worries about the privacy of other patients in the group because risks
of disclosure may discourage individuals from joining support groups. See
Michael W. Miller, Data Tap: Patients’ Records are Treasure Trove for Budding
Industry, WALL ST. J., Feb. 27, 1992, at A1, A6. “‘For someone with an illness
like this you have a lot of people to trust. . . . You have to trust doctors, you have
to trust pharmacists, you have to trust your friends who might see you have an
episode, [and you have to trust] your co-workers. Why add to the list?’” Id.
20. See Mowery, supra note 17, at 728. In a study performed by the United
States Office of Technology Assessment, it was concluded that 30% of employers
permit their managers to inspect the medical records of employees, most likely
obtained from health insurance information in personnel files, without first
obtaining the employees’ permission. See Miller, supra note 19, at A6.
21. See Mowery, supra note 17, at 728.
912
NEW ENGLAND LAW REVIEW
[Vol. 35:4
Likewise, without adequate safeguards, the effectiveness of the patient’s
healthcare may suffer.22 “Patients will be less likely to divulge
information if they are unsure their privacy will be protected, . . . [and] [i]f
the information a patient gives is incomplete, diagnosis and treatment
might be incorrect.”23 In order to preserve the relationship between a
patient and pharmacist and to ensure the integrity of the information
provided by the patient, some form of privacy protection is necessary. 24
The fact that patients will not find out about an invasion of their privacy
until it has already occurred is yet another reason to further protect a
patient’s privacy rights.25 “Without accurate or trustworthy information,
the complex, [health care] information infrastructure that is emerging in
the healthcare system will not succeed.”26
Nevertheless, in creating a new policy to protect the privacy of an
individual’s healthcare information, the legitimate interests that drug
manufacturers have in this information must also be considered. 27 Some
circumstances exist where direct marketing by pharmaceutical companies,
possessing an individual’s healthcare data, may actually benefit patients.
For instance, Marion Merrell Dow, Inc., a pharmaceutical company, has
created a database of 350,000 heart patients currently using its heart
medication.28 This company uses its database to send these patients a
special newsletter concerning healthy living, hence providing a benefit for
See Gostin, supra note 16, at 490.
Mowery, supra note 17, at 728-29. “In the absence of the knowledge
that the pharmacist will respect the confidential nature of the communication, the
information may not be given and the pharmacist may not be able to effectively
provide the appropriate needed services.” John Berger, Patient Confidentiality in
a High Tech World, 5 OHIO N.U. J. PHARMACY & L. 139, 144. (1996); see also
Harlin G. Adelman & Wendy L. Zahler, Pharmacist-Patient Privilege and the
Disclosure of Prescription Records, 1 OHIO N.U. J. P HARMACY & L. 127, 152
(1992).
24. See Mowery, supra note 17, at 729. Furthermore,
22.
23.
“a serious effort should be made to enact laws that guarantee some
patient confidentiality with regard to pharmaceutical records, if not in
the information previously included such as a patient’s prescription
record, at least in the additional information sought for the patient’s
profile such as the patient’s personal medical h istory.”
Id. at 743 n.418 (quoting Brenda Jones Quick, The Cost of the Omnibus Budget
Reconciliation Act of 1990, 2 OHIO N.U. J. PHARMACY & L. 145, 164 (1994)).
25. See Berger, supra note 23, at 144..
26. Mowery, supra note 17, at 729.
27. See id. at 729-30; see also Joshua D. Blackman, A Proposal for Federal
Legislation Protecting Informational Privacy Across the Private Sector, 9 SANTA
CLARA COMPUTER & HIGH TECH. L.J. 431, 454 (1993).
28. Miller, supra note 19, at A6. The patients in the database developed by
Marion Merrell Dow were taking the drug Cardizem which is manufactured by this
company. See id.
2001]
WELD V. CVS PHARMACY, INC.
913
these individuals.29 A computer system was developed by another
pharmaceutical company which allows pharmacists to track the dispensing
of a patient’s medication and then suggests drugs that might complement
the patient’s current medication or recommend the substitution of a drug
likely to cause fewer side effects.30 Furthermore, the pharmaceutical
companies claim that the knowledge gained from patient information can
be useful in recommending the most effective treatments and drugs for
specific cases, thereby producing the best possible results for the patient at
the lowest cost.31
It is clear that the proper use of these computerized databases can
provide enormous benefits.32
However, their misuse can cause
33
irreversible injury.
As with “most other areas of the law, we must
engage in the delicate task of weighing competing interests” to determine
when an individual’s medical information should be disclosed. 34 To
determine whether such an invasion is warranted, the following factors
should be considered:
[T]he type of record requested, the information it does or might contain, the
potential for harm in any subsequent nonconsensual disclosure, the injury
from disclosure to the relationship in which the record [is] generated, the
adequacy of safeguards to prevent unauthorized disclosure, the degree of
need for access, and whether there is an express statutory mandate,
articulated public policy or other recognizable public interest militating
toward access.35
See id.
See Mowery, supra note 17, at 733. For example, “a patient on estrogen
might be advised to also take calcium supplements. After identifying such a
patient, the pharmaceutical company would send a letter to the pharmacist, who
would then send a letter to the patient with the recommendation.” Id. at 733-34
(footnotes omitted).
31. See Margaret Ann Cross, Drug Companies See Opportunities in Health
Information Technology, HEALTH DATA MGMT., Oct. 1, 1996, at 70. The vice
president and CIO at Eli Lilly, a pharmaceutical company, states “‘[w]e are going
to be a health care solutions company, which includes making pills but which also
highly leverages information technology to understand better the cause and effect
of people’s illnesses and well being.’” Id.
32. See Beth Hahn Gerwin, Note, Computer Related Litigation Using Tort
Concepts, 9 AM. J. TRIAL ADVOC. 97, 115 (1985).
33. See id. (explaining how the pervasive use of computers in private
industry has increased the incidences of computer-related litigation). Courts have
generally applied a balancing test in light of the “tension between the potential for-injury and benefit” whereby an individual’s right to privacy is weighed against
the need of private entities to disclose personal information. Id.
34. United States v. Westinghouse Elec. Corp., 638 F.2d 570, 578 (3d Cir.
1980).
35. Id. at 578.
29.
30.
914
NEW ENGLAND LAW REVIEW
[Vol. 35:4
The “battle lines are being drawn” with the privacy advocates on one
side and the data-users on the other.36 The privacy advocates, which
include “civil libertarians, disability advocates, some consumer groups
and health care provider groups,” are demanding rigorous governmental
regulation of medical record privacy in order to protect the values of
personal autonomy and to prevent the stigmatization and humiliation of
patients.37 They derive their support from polling data which indicates
that Americans desire increased privacy protection and evidences
numerous instances detailing the inappropriate, and often illegal
disclosures of private medical information.38 Conversely, the data-users
which include “managed care organizations . . . , health insurers, medical
and health policy researchers and pharmaceutical companies” are content
to maintain the status quo regarding medical record accessibility and claim
to support stiff penalties when this data is misused. 39 Even those who
support the most severe restrictions “believe that a balance must be struck
between access and privacy interests . . . . However, as with most
controversial legislation,” the difficulty arises in hammering out the
details.40 Both sides may agree on the fundamental principles behind the
legislation, however, the flexibility required by one party may be
36. Helena Gail Rubinstein, If I Am Only for Myself, What Am I? A
Communitarian Look at the Privacy Stalemate, 25 AM. J. L. & MED. 203, 204-05
(1999) (evaluating the arguments of privacy advocates and data users with regard
to proposed federal legislation intended to protect the privacy of individual
medical records).
37. Id. at 204.
38. See id. There are several instances in which personal medical data has
been inappropriately disclosed. A complaint documented by one health care
institution involved employees accessing lab results of their co -workers prior to
asking for social dates. See Arnold, supra note 7, at 464. Similarly, an Ohio
hospital employee was acquitted after locating a friend’s AIDS diagnosis in a
hospital computer and revealing this information to other hospital employees. See
id. (citation omitted). For other examples of abuse of medical record privacy, see
supra note 18.
39. Rubinstein, supra note 36, at 205. Beyond the data-users mentioned
above are law enforcement agencies, employers, and a number of entrepreneurs
who seek out the medical data of individuals in order to sell it to research and
marketing companies for a profit. See id.
40. Id. One doctor noted that care must be taken “not to inadvertently harm
the interests of individual patients by unnecessarily restricting access to
information needed” for medical research. Hearing on Patient Confidentiality:
Testimony Before the Subcomm. on Health of the House Committee on Ways and
Means, 105th Cong. (Mar. 24, 1998) (statement of Harry A. Guess, M.D., Ph.D.,
on behalf of Merck & Co., Inc.), available at <http://www.house.gov/ways_means/
health/testimony/3-24-98/3-24gues.htm>.
2001]
WELD V. CVS PHARMACY, INC.
915
perceived as an unsatisfactory loophole by the other. 41 Lawmakers must
choose a policy that adequately protects the privacy interests of patients,
while simultaneously permitting private companies to pursue their
business interests.42
II. BACKGROUND
A. Factual Background of Weld v. CVS Pharmacy, Inc.
In 1998, defendant CVS Pharmacy, Inc. (CVS) implemented a Patient
Compliance Program (PCP).43 The purpose of this program was to send
mailings to certain designated customers providing them with information
regarding new drugs, reminding them to refill their current prescriptions,
or encouraging them to consult with their physicians about potential
medical conditions.44 These mailings were funded by various drug
manufacturers, also named as defendants in this action, and CVS asserts
that each mailing indicated the manufacturer responsible for financing it.45
The two plaintiffs in this suit, John Weld and Jeffrey Kelley, both filled
prescriptions at CVS and consequently, their names, addresses, dates of
birth, and medical and prescription information were stored in the
company’s databases.46
Undisputedly, Kelley received a mailing
regarding high cholesterol in June, 1997. 47 Even though the mailing did
not indicate that Kelley suffered from high cholesterol, it encouraged him
to discuss the hazards of this condition with his doctor. 48
At a deposition in the fall of 1997, Kelley, a diabetes sufferer, testified
that he had received marketing materials for diabetes medications in the
See Rubinstein, supra note 36, at 205.
See Mowery, supra note 17, at 730-31. The legislation created to protect
informational privacy contemplate the realities in the marketplace. See id. at 731
n.308. These laws must satisfy the informational needs of business, yet do so in a
way that is simultaneously fair to the consumer. See id.
43. See Weld v. CVS Pharmacy, Inc., No. 98-0897F, 1999 Mass. Super.
LEXIS 261, at *3 (June 1, 1999).
44. See id. “The PCP is presently the subject of an ongoing investigation by
the Massachusetts Board of Registration in Pharmacy.”
Id. at *7 n.9.
Furthermore, it is relevant to note that Elensys Care Services, Inc. (Elensys), the
company coordinating these mailings for CVS, was informed in April, 1997, by
the Maryland Board of Pharmacy that written waivers should be obtained by
customers before commencing similar marketing services for a Maryland
pharmacy, pursuant to a comparable program. See id.
45. See id. at *3.
46. See id
47. See id. at *3-*4.
48. See id. The letter indicated that it had been funded by the drug
manufacturer Merck. See id. at *4.
41.
42.
916
NEW ENGLAND LAW REVIEW
[Vol. 35:4
mail, but he had no recollection as to who had sent them. 49 Kelley further
testified that prior to filling his prescriptions at CVS he had purchased
these medications at another drug store.50 CVS acknowledged that it
produced a diabetes mailing in October, 1997, however, it asserted that
Kelley could not have received this mailing because it had targeted
customers filling a certain type of prescription at CVS, which Kelley had
never filled there.51
Furthermore, Weld does not dispute that he never received a mailing,
and it is contended by CVS that he was never included in the list targeted
to receive one.52 Therefore, CVS reasons that it could not possibly have
“disseminated any information about Weld to any of the other
defendants.”53 CVS tries to further defend itself by explaining that the
means utilized to target customers for receipt of specific mailings was
highly impersonal and technical.54 “For the high cholesterol mailing, CVS
personnel conducted a key word search of CVS’s entire customer database
based on the customer’s condition or prescriptions, and arrived at a target
list of customers designated to receive the [high] cholesterol mailing.”55
Weld was not targeted to receive the mailing because his profile did not
contain any of the desired criteria.56 However, Kelley, as a diabetes
sufferer met the criteria necessary for inclusion in the mailing list. 57 Once
this search of CVS’s database was completed, the “list of the designated
customers’ names, addresses and dates of birth was . . . compiled on a
diskette, which CVS gave to Elensys.”58
The contract between CVS and Elensys indicated that CVS would send
their customer prescription information to Elensys and stated that “‘[CVS]
agrees to provide to Elensys all pharmacy records and prescription
information which Elensys and [CVS] mutually agree are necessary for
Elensys to render the Patient Compliance Services.’” 59 This contract also
provided that confidentiality of CVS’s patient information be strictly
See Weld, 1999 Mass. Super. LEXIS 261, at *4.
See id.
See id.
See id.
Id.
See id.
Weld, 1999 Mass. Super. LEXIS 261, at *4-*5.
See id. at *5.
See id.
Id. Elensys is a mailing company and also a named defendant in this
action, which contracted with CVS to execute the actual mailings. See id.
59. Id. at *5-*6. CVS alleges in an affidavit that Elensys did not have
access to its customer prescription records nor its database and that Elensys had
only customer information for those individuals included in the mailings. See id.
at *6 n.7. However, CVS fails to indicate how much information was disclosed to
Elensys regarding the customers included in the targeted mailing list. See id.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
2001]
WELD V. CVS PHARMACY, INC.
917
maintained, requiring Elensys to implement extensive safeguards to ensure
that it was.60 The final list of names and addresses was then transmitted to
a mail fulfillment house employed by Elensys to collate and send out the
mailing.61 It is urged by the defendants that this mailing process entailed
minimal human participation and was highly automated. 62 The defendant
pharmaceutical companies, who participated in these mailings, also
maintain that they had no access to CVS’s customer databases, were given
no customer information by CVS, and that their participation was limited
to supplying CVS with data regarding the drugs promoted in the mailings
which these drug companies funded.63
The plaintiffs brought several claims against CVS, but this Comment
will mainly focus on count one, which alleges that CVS “violated the
plaintiffs’ right of privacy as set forth in [chapter 214, section 1B of the
Massachusetts General Laws].”64 Presently, CVS’s motion for summary
judgment in this case has been denied.65 In denying this motion, the court
indicated that “there are genuine issues of material fact as to the legality of
CVS’s conduct towards the named plaintiffs Weld and Kelley, so that
summary judgment is inappropriate.”66 Furthermore, the court stated that
“whether CVS’s conduct as to plaintiff Kelley constituted a violation of
[chapter 214, section 1B of the Massachusetts General Laws] presents a
novel question suitable for initial resolution by a jury.”67
60. See id. at *6. With regard to the high cholesterol mailing received by
Kelley, Elensys indicated in affidavits that it participated in these mailings to the
extent it applied a special computer program to CVS’s diskette in order to correct
address errors and remove duplicate names from the mailing list. See id.
61. See Weld, 1999 Mass. Super. LEXIS 261, at *6. The contract between
Elensys and the fulfillment company also included strict terms concerning
confidentiality. See id. at *6 n.8.
62. See id. at *6-*7.
63. See id.
64. Id. The other counts alleged by plaintiffs against CVS include: breach
of its duty of confidentiality and fiduciary duty to the plaintiffs; violation of the
Massachusetts consumer protection statute, chapter 93A; tortious misappropriation
of private and personal information; and conspiracy with the other defendants to
violate the plaintiffs’ rights. See id.
65. See id. at *11.
66. See id.
67. Weld, 1999 Mass. Super. LEXIS 261, at *16. With regard to plaintiff
Weld, who never actually received a mailing but whose name and prescription data
were housed in the database used by CVS to help implement its marketing
program, the court denied CVS’s motion for summary judgment without prejudice
pending further discovery to determine if CVS actually disclosed any of Weld’s
prescription information. See id.
918
NEW ENGLAND LAW REVIEW
[Vol. 35:4
B. The New Legal and Ethical Issues
The principle issue is one of access.68 Will patients have the power to
permit or deny access to medical data maintained by their pharmacist? 69
The collection of medical information begins when a patient visits “a
health care provider and continues through diagnosis, treatment and
billing.”70 “This process generates data relating to a patient’s medical and
financial history, symptoms, signs and treatment options, [ultimately]
including prescription medications.”71 A variety of organizations and
institutions, other than patients and health care workers, seek to access
medical records.72 Those seeking access include insurance companies,
government officials, law enforcement, employers, lawyers, researchers,
educators, and most prescription drug manufacturers. 73 It is unfortunate
that the laws governing medical record privacy have not kept pace with
the constantly increasing risks inherent in disclosure. 74 The prescription
files maintained by pharmacists, in particular, have little authority
governing their confidentiality.75 In the past, a pharmacist’s lack of access
to a patient’s medical information prevented him from providing true
pharmaceutical care.76 However, new computer technology allows
pharmacists to be more proactive in counseling patients, in addition to
“sav[ing] time and money by using a computer to dispense prescriptions,
fill out forms, and process insurance claims.” 77
See Cardinale, supra note 9, at 107.
See id.
Paul T. Cuzmanes & Christopher P. Orlando, Automation of Medical
Records: The Electronic Superhighway and its Ramifications for Health Care
Providers, 6 OHIO N. U. J. PHARMACY & L. 19, 25 (1997).
71. Id.
72. See Adelman & Zahler, supra note 23, at 128.
73. See id.
74. See id. The authors further explained that:
68.
69.
70.
Although the trend in the law favors increased confidentiality of
medical records, the demands of the real world favor increased
disclosure. Accordingly, it is the responsibility of pharmacists,
physicians, and other health care professionals to understand this
tension and to educate themselves as to the best approach for handling
the sensitive and legally murky issues that arise with each disclosure of
medical records or exchange of medical information.
Id.
75.
76.
77.
See id. at 127.
See Cardinale, supra note 9, at 107.
Mowery, supra note 17, at 697.
2001]
WELD V. CVS PHARMACY, INC.
919
C. The Evolution of the Pharmacist’s Role
It is quite evident that there have been dramatic changes in the practice
of the profession of pharmacy. 78 Gone are the days when a pharmacist’s
primary concern was dispensing the right drug, in the right strength and
amount.79 Today, in addition to dispensing medication, pharmacists are
heavily involved in patient care and are increasingly concerned with the
outcome of a patient’s treatment.80 In order to perform their job
effectively, pharmacists must have access to all of a patient’s relevant
medical information.81 This access allows pharmacists to provide better
treatment to each individual because they are better informed about an
individual’s medical background and the circumstances which have led to
the need for a particular type of medication. 82 In order for a computer to
aid pharmacists with their various responsibilities, a patient’s personal
information must be entered into the pharmacy’s system. 83
The
information entered usually includes a patient’s birth date, gender,
allergies to certain drugs, any disease being treated, and some databases
even maintain “lifestyle notes on alcohol, caffeine and tobacco use,
pregnancy, and exercise.”84
Computerization of medical records has played a substantial role in
improving patient care by providing doctors and pharmacists with more
accurate, timely, and comprehensive medical records for their patients. 85
The ability to easily access a patient’s medical history is extremely useful
not only to pharmacists, but also to the other health care providers with
whom they interact when treating a patient.86 For example, pharmacists
now have the potential to save lives and avoid harmful drug interactions
See Berger, supra note 23, at 139.
See id.
See id. “[T]he scope of the practice [of pharmacy] took a giant leap
forward when Congress enacted the Omnibus Budget Reconciliation Act of 1990
(OBRA 90) . . . . OBRA 90 set forth minimum standards of pharmaceutical care
that all states must require pharmacists to perform when dispensing Medicaid
prescriptions (as a Medicaid funding mechanism).” Id. at 139-40. These standards
include: requiring the pharmacist to meet with and interview the patient in person
in order to provide the patient with counseling regarding their drug therapy;
requiring the pharmacist to create patient profiles, recording the pati ent’s disease
state in addition to the pharmacist’s notes; and requiring pharmacists to perform
prospective drug use review along with patient consultations. See id. at 140.
81. See id.
82. See id.
83. See Mowery, supra note 17, at 698-99.
84. Id. at 698.
85. See Arnold, supra note 7, at 460.
86. See Michael Slezak, Pharmacy’s Big Screen Drama, A M. DRUGGIST ,
Nov. 1, 1996, at 39.
78.
79.
80.
920
NEW ENGLAND LAW REVIEW
[Vol. 35:4
by using computers to screen a patient’s prescriptions. 87 If a patient is
being treated by several doctors at one time, each doctor may be unaware
of which medication the other is prescribing. 88 The pharmacist, however,
by simply checking a patient’s computerized file, is able to view all of the
medications currently being used by a patient and can notify the patient’s
primary-care physician about potentially harmful interactions.89 As a
result, the doctor may prescribe an alternative medication, thus averting a
potentially fatal disaster.90
D. Computerized Pharmacy Records and Third Parties
As key members of the healthcare team, it is crucial that pharmacists
actively assist in developing standards for the automation of medical
records.91 They must also remain acutely aware of the implications of
automation on their practice.92 However, most of the controversy
surrounding the confidentiality of pharmaceutical records does not stem
from the pharmacist’s access to a patient’s private medical information. 93
More often, concern arises when third parties, generally “big business,”
are given access to this highly sensitive and private data. 94 “The medical
record is . . . a rich repository of information [to] third parties . . . . [A]
modern medical record can be used in many different ways outside the
treatment process. The growing awareness of medical records as a source
of information is one reason why disclosure of the record is increasingly
demanded.”95 Today’s pharmacists are keenly aware that the market for
prescription data is now a big business and that there is a lot of money to
be made in it, especially for the drug manufacturers. 96 As a result of the
new technology, pharmacists are now an important “part of a new market
for the information in their databases.” 97 Without their participation in
providing this information, the market will likely be less extensive.
The promotional activities of the pharmaceutical industry are becoming
more and more aggressive.98 Pharmaceutical companies now endeavor to
See Mowery, supra note 17, at 698.
See id. at 698.
See id.
See id.
See Cuzmanes & Orlando, supra note 70, at 20.
See id.
See Rubinstein, supra note 36, at 229.
See id. Polling data indicates that next to the government, individuals
are most upset about “big business,” meaning private corporations, having access
to their private medical information. See id.
95. Mowery, supra note 17, at 698 n.17 (citations omitted).
96. See id. at 699 n.16.
97. Id. at 699.
98. See David Woodward, The New Drug Marketing:
A Consumer
87.
88.
89.
90.
91.
92.
93.
94.
2001]
WELD V. CVS PHARMACY, INC.
921
expand their traditional form of promotion, targeting physicians with
individual sales calls, to include direct advertising to consumers, various
“promotional practices involving payments to health care providers, and a
very high level of merger activity.”99 The National Association of Boards
of Pharmacy (NABP) has voiced extreme concern regarding the activity of
some third-party organizations, including insurance companies, pharmacy
benefits management companies,100 and marketing firms.101 As a result,
NABP has developed a set of guidelines covering the confidentiality of
patient records with regard to patient compliance and intervention
programs.102
“Some third-party programs that exist outside the
pharmacist/patient relationship may [even] try to switch a patient’s
medication or direct the patient away from a course of therapy for
economic or financial gains.”103 This is one of the practices the NABP
would like to curb with its new guidelines. 104 Many private companies
Protection Perspective, 51 FOOD & DRUG L.J. 637, 638 (1996). Remarkable
changes have occurred in the healthcare market and the forces driving the
pharmaceutical industry are no exception. See id. “[C]ost containment has
become a driving force in the new market [along with] the role of third -party
payors . . . becoming increasingly important.” Id.
99. Id.
This merger activity is occurring “among pharmaceutical
manufacturers and between pharmaceutical companies and [pharmacy benefit
management companies (PBMs)].” Id.
100. There are new confidentiality concerns with regard to the increased use
of PBMs. See RxNews: Prescription Privacy, HEALTH FACTS, Apr. 1, 1999, at 4.
“PBMs are relatively new commercial enterprises which use management skills,
along with considerable purchasing clout, to reduce the cost of the drug benefits
offered by health plans to their enrollees. This has become critically important
because [the cost of] prescription drugs . . . [is] rising at a faster rate than any
other health care item.” Id. “[T]he drug benefits of the vast majority of
Americans with health insurance” are now managed by PBMs. Id. “PBMs collect
and analyze information about large numbers of patients, their medical histories,
prescriptions, drug interactions, drug effectiveness and treatment outcomes,
creating an electronic database that is coveted by drug makers for use in their
marketing and research efforts. The result is that PBMs make money by selling
their databases to others.” Id. Since the disclosure of this personally identifiable
prescription information is not regulated, any stranger can now access the personal
information of individual consumers without obtaining any prior consent or giving
any prior notification to those individuals. See id.
101. See Rebecca Porter, Pharmacy Association Sets Guidelines for Privacy,
TRIAL, Mar. 1999, at 98, 99, 100.
102. See id. at 100. The NABP defines patient compliance and intervention
programs as programs “that contact the patient or caregiver to improve the
patient’s use of prescribed medication and promote appropriate monitoring and
self-reporting of medication use; provide educational information about the
patient’s disease state; and discuss and/or affect a patient’s therapy or choice of
medication.” Id.
103. Id.
104. See id.
922
NEW ENGLAND LAW REVIEW
[Vol. 35:4
presently collect prescription records from pharmacies and then
subsequently sell them to pharmaceutical companies. 105 These companies
obtain permission to access the records by providing certain services to
the pharmacies.106 However, many patient-privacy advocates contend that
“[r]egardless of how [confident a] pharmacist or physician feels about the
[confidentiality] safeguards” the pharmaceutical companies claim to be
using, “the industry should never [be permitted to] get its hands on
medical records in the first place.”107
There is no doubt that the information collected by pharmacists
represents a substantial financial value to commercial enterprises. 108 The
pharmaceutical companies defend themselves by arguing that they are
only interested in the aggregate information of patients. 109 However, these
companies have used the patient information they have received for direct
105. See Mowery, supra note 17, at 699-700.
Medco Containment Services Inc., the nation’s biggest mail-order
prescription operation, last year created a subsidiary to sell its
customers’ prescription records, in addition to prescription data it buys
from the American Association of Retired Persons. Medco sorts
everything by the names of physicians and gives their addresses.
Drug companies love that extra feature because they can zero in on
physicians most likely to go for their mailings.
Id. (quoting Michael W. Miller, Data Tap: Patients’ Records are Treasure Trove
for Budding Industry, WALL S T. J., Feb. 27, 1992, at A1, A6).
106. See Mowery, supra note 17, at 700. These services often include
providing new hardware and software to pharmacists allowing them to more easily
track patient information. See id. Sometimes though, it is money that is given to
the pharmacies in exchange for patient prescription data. See id. Also,
“[p]hysicians and pharmacists routinely open up their patient records to data collectors that sell them to pharmaceutical companies hungry to know exactly how
their products are selling . . . . [N]early half of the 1.6 billion prescriptions filled
each year in the U.S. pass along this chain.” Miller, supra note 19, at A6.
However, the physicians and pharmacists involved in these sales do not feel that
they threaten patient privacy, since the data-collectors insist that all patient names
are deleted from the information. See id. Nevertheless, those who criticize these
practices say that medical record custodians “have no business entrusting them,
without patients’ knowledge or consent, to an unregulated industry.” Id.
107. Miller, supra note 19, at A6. However, not all doctors and pharmacists
are willing to sell the information in their databases.
A pharmacist in
Williamsburg, Virginia who turned down a monetary offer from a data collection
company interested in access to her records states, “‘I have no clue what they’re
pulling off my computer, and I don’t trust what they’re telling me . . . . I’m not a
computer expert. I have patients to protect and a business to protect.”’ Id.
108. See Mowery, supra note 17, at 699 (citing Adele A. Waller, Health Care
Information Issues in Health Care Reform, 16 WHITTIER L. REV. 15, 18 (1995)).
With patient information in their possession, pharmaceutical companies can i mprove their product marketing to customers and healthcare providers. See id.
109. See Miller, supra note 19, at A6.
2001]
WELD V. CVS PHARMACY, INC.
923
marketing purposes.110 This requires the “company to use the specific
names and addresses of the group of individuals that have been
targeted.”111 This type of targeted patient information is exactly what the
pharmaceutical companies need to market their products to patients and
healthcare providers, and its usage is consistent with current direct
marketing practices.112
E. Patient Privacy and Pharmacy Records
When the divulgence of medical information in some way imparts a
medical or financial benefit to the patient, many theorize that such
disclosures are justified by implied consent.113 “Thus, the patient
consents, or is presumed to consent, to the disclosure of information to
other health care professionals to provide appropriate treatment, to
insurers to assure payment, or to researchers or regulators to maintain
effective oversight or evaluation services.”114 Nevertheless, vast amounts
of information are constantly collected on American consumers and the
manner in which these facts are utilized is fundamentally important. 115 If
a pharmaceutical manufacturer represents to consumers that the data being
collected will only be used for drug utilization review purposes, this
promise should be honored or at the very least, the company “should fully
describe all uses that may be made of such information.” 116 Ultimately,
drug manufacturers should not use a patient’s confidential medical
information for marketing purposes.117 Since today’s consumers place a
great deal of importance on the privacy of their medical records,
pharmaceutical manufacturers should design and implement their various
promotional programs and practices with this in mind. 118
A 1993 privacy survey revealed that “forty-eight percent of the public,
representing 89,000,000 Americans, are highly concerned about issues of
medical privacy.”119 The survey also found that sixty percent of all
Americans:
See id.
Mowery, supra note 17, at 733.
See id.
See Gostin, supra note 16, at 523.
Id.
See Woodward, supra note 98, at 648.
Id. Many privacy specialists agree that most patients never become
aware of confidentiality violations. See Miller, supra note 19, at A1. However,
many patients who learn of the violations may not want to risk further exposure by
calling attention to the breach of confidentiality. See id.
117. See Woodward, supra note 98, at 648.
118. See id.
119. Id. (quoting HARRIS -EQUIFAX, HEALTH INFORMATION P RIVACY S URVEY
(1993) (study no. 934009)).
110.
111.
112.
113.
114.
115.
116.
924
NEW ENGLAND LAW REVIEW
[Vol. 35:4
[F]eel that it would be unacceptable for pharmacists to provide
pharmaceutical companies with the names of customers using certain
medications for use in direct mail; sixty-six percent felt that it would be
unacceptable for hospitals to use the names of patients to solicit donations;
and sixty-four percent stated that their permission should be required before
their medical records could be used for research purposes, even if no
personally identifiable information were published. 120
The public concern surrounding this sensitive issue is also reflected in
the media attention it receives, as well as in the concern exhibited by
Congress and former President Clinton121 in protecting the confidentiality
of medical information.122
F. Privacy Laws and Pharmacists
Presently, the medical information in the United States (U.S.) receiving
the most protection is that of individuals procuring care from federally
financed drug and alcohol treatment centers. 123 Unless an individual is
enrolled in one of these governmental substance abuse clinics, the
protection of individual medical records is wholly inadequate. 124 “Health
records privacy law [in the U.S. currently] consists of a patchwork of state
120. Id. (quoting HARRIS -EQUIFAX, HEALTH INFORMATION P RIVACY S URVEY
(1993) (study no. 934009)).
121. As recently as October 29, 1999, President Clinton urged Congress to
take further steps to safeguard the electronic medical records of patients. See
Sonya Ross, Clinton Aims to Shield Electronic Medical Records (visited May 10,
2001) <http://www.abcnews.go.com/sections/us/DailyNews/insurance991029.html
>. One of the President’s greatest concerns was keeping a patient’s private
medical information out of the hands of marketers. See id. The President also
expressed concern about the great discrepancies among state laws protecting the
privacy of individual medical records. See id. Currently, federal law does not
protect an individual’s private medical information from being disseminated to
employers, sold to pharmaceutical companies or distributed throughout the office
of insurance company. See id.
122. See Woodward, supra note 98, at 648-49; see also, e.g., Medical Records
Confidentiality Act of 1995, S. 1360, 104th Cong., Fair Health Information
Practices Act of 1994, H.R. 4077, 103d Cong..
123. See P AUL M. S CHWARTZ & J OEL R. R EIDENBERG , DATA P RIVACY LAW
165 (1996).
124. See id.; see also Richard C. Turkington, Legal Protection for the
Confidentiality of Health Care Information in Pennsylvania: Patient and Client
Access; Testimonial Privileges; Damage Recovery for Unauthorized Extra-Legal
Disclosure, 32 VILL. L. REV . 259 (1987); Paul M. Schwartz, The Protection of
Privacy in Health Care Reform, 48 VAND. L. REV. 295 (1995) (discussing health
reform issues relating to privacy and computerized data). See generally Gostin,
supra note 16 (discussing laws regarding the confidentiality and health records).
2001]
WELD V. CVS PHARMACY, INC.
925
and federal laws that leaves large segments of health records with little
legal protection.”125 These laws mainly provide protection for health
records that are under governmental control or in limited cases protection
is provided for specific kinds of medical information. 126 Also hindering
privacy protection is the lack of uniformity among state laws.127 In an era
when interstate data transfers are prevalent, this inconsistency in the laws
of the states only weakens the protection of an individual’s health
records.128
Congress’ Office of Technology Assessment recently
concluded that “‘[t]he present legal scheme does not provide consistent,
comprehensive protection for privacy in health care information, whether
it exists in a paper or computerized environment.”’ 129
III. THE RIGHT OF PRIVACY IN MASSACHUSETTS
The Massachusetts Legislature has declared the existence of an
individual’s right to privacy. 130 Instead of creating a detailed and
125. R ICHARD C. TURKINGTON & ANITA L. A LLEN, P RIVACY LAW: C ASES AND
MATERIALS 223-24 (1999).
126. See S CHWARTZ & R EIDENBERG , supra note 123, at 165-66. The medical
information that is specifically protected by law includes records containing highly
personal or especially intimate data. See TURKINGTON & A LLEN, supra note 125,
at 224. Drug and alcohol and mental health treatment records all fall into this
category and enjoy strong privacy protection. See id.
127. See S CHWARTZ & R EIDENBERG , supra note 123, at 166.
128. See id.
129. Id. (quoting O FFICE OF TECHNOLOGY ASSESSMENT , P ROTECTING P RIVACY
IN C OMPUTERIZED MEDICAL INFORMATION 13 (1993)). The existing patchwork of
law has a number of shortcomings. See id. at 167 An example of one is the abuse
of the idea of “informed consent.” See id.
Informed consent should protect not only physical self -determination
but informational self-determination as well. It should serve a role in
furthering data protection’s goal of organizing information processing
in a way that furthers the individual’s capacity for free decision making.
A consent to the application of one’s personal medical data can only be
informed . . . . Yet in the United States, the current norm is
“uninformed consent” to disclosure of personal medical data. Service
payors, such as insurance companies and service providers, such as
doctors and clinics, generally have their customers, the consumers of
health care services, sign broad, “blanket” disclosure releases. These
disclosure documents have been used to justify almost any secondary
use of medical data.
Id. Furthermore, these broad releases have allowed for the disclosure of medical
information to pharmaceutical companies, employers seeking data regarding their
workers, direct market mailers, and the Medical Information Bureau, which is a
non-profit organization that provides medical information to insurance companies
for the purpose of insurance fraud prevention. See SCHWARTZ & REIDENBERG ,
supra note 123, at 167-68.
130. See MASS . GEN. LAWS ch. 214, § 1B (2000).
926
NEW ENGLAND LAW REVIEW
[Vol. 35:4
comprehensive statute, the legislature has left the interpretation of a very
broadly worded law to the courts, which must forge workable rules,
principles, and applications of it.131 The statute states that “[a] person
shall have a right against unreasonable, substantial or serious interference
with his privacy. The superior court shall have jurisdiction in equity to
enforce such right and in connection therewith to award damages.” 132
Since there is no generally accepted definition of privacy and because of
the statute’s broad language, responsibility has fallen on the courts to
define the meaning of an individual’s right to privacy in Massachusetts.133
However, the legislature was insightful in creating this sweeping
definition of privacy.134 Even in the early 1970s, when the statute was
created, its drafters were able to envision the serious threat that electronic
technology posed to individual privacy, especially if this technology were
in the hands of public and private bureaucracies. 135 Consequently, the
drafters realized that the “law of privacy must have the ability to grow and
to adapt to changing circumstances” and that it should not be restricted by
its past interpretations.136
A. History of Massachusetts Privacy Law
In Baker v. Libbie, 137 the Massachusetts Supreme Judicial Court (SJC)
was first presented with the issue of an individual’s privacy rights. 138 In
this case, an auctioneer of manuscripts attempted to publish and sell
various personal letters written and signed by Mary Baker Eddy, the
founder of Christian Science.139 These letters were written by Ms. Eddy to
a cousin referring to various household matters and also to Ms. Eddy’s
business and personal activities.140 As requested by the Estate of Mary
Baker Eddy, the unanimous court enjoined the actions of the auctioneer
concluding that “[t]he right of the author to publish or suppress
publication of [her] correspondence is absolute in the absence of special
considerations, and is independent of any desire or intent at the time of the
writing.”141 Furthermore, the recipient’s “unqualified title in the material
on which [the letter] is written . . . is subject . . . to the proprietary right
131. See William L. Pardee, Note, The Massachusetts Right of Privacy
Statute: Decoy or Ugly Duckling?, 9 SUFFOLK U. L. REV. 1248, 1248 (1975).
132. MASS . GEN. LAWS ch. 214, § 1B.
133. See Pardee, supra note 131, at 1248-49.
134. See id. at 1250.
135. See id. at 1249-50.
136. Id. at 1250.
137. 97 N.E. 109 (Mass. 1912).
138. See id. at 109.
139. See id.
140. See id.
141. Id. at 111.
2001]
WELD V. CVS PHARMACY, INC.
927
retained by the author for [herself] and [her] representatives to the
publication or nonpublication of ideas in its particular verbal
expression.”142 Accordingly in Baker, the court did not directly consider
the invasion of privacy issue by reasoning that the content of the letters
was not such that even if read by strangers would have caused
embarrassment or hurt feelings to the author. 143 Instead the court chose to
resolve the privacy issue with the application of copyright law. 144
More than half a century later, Massachusetts was no closer to
recognizing the right of privacy than it had been in Baker.145 However in
1970, prior to enacting the current Right of Privacy Statute, 146 the
Legislature enacted a law which created a remedy for an individual whose
name, portrait, or picture was misappropriated for trade purposes. 147
Id. at 112.
See id. at 112.
See id.
See Pardee, supra note 131, at 1254 n.27; see also Brauer v. Globe
Newspaper Co., 217 N.E.2d 736, 740 (Mass. 1966) (holding that that “an invasion
of privacy based on ‘publicity’ which casts the plaintiff ‘in a false light in the
public eye’ requires acts which are sufficient in themselves to familiarize the
public with either the name, likeness, or other means of identifying the plaintiff”);
Frick v. Boyd, 214 N.E.2d 460, 463-64 (Mass. 1966) (holding that publication of a
book which did not include any defamatory remarks about the plaintiff was not a
serious enough intrusion into the plaintiff’s private life to constitute an invasion of
privacy); Kelley v. Post Publ’g Co., 98 N.E.2d 286, 287 (Mass. 1951) (finding that
publication in a newspaper of a deceased car accident victim’s picture along with
her parents’ names was not an invasion of privacy); Themo v. New England
Newspaper Publ’g Co., 27 N.E.2d 753, 755 (Mass. 1940) (holding that the right of
privacy “does not protect one from having his name or his likeness appear in a
newspaper when there is legitimate public interest in his existence, his
experiences, his words, or his acts”); Marek v. Zanol Prods. Co., 9 N.E.2d 393,
394 (Mass. 1937) (finding that no invasion of privacy claim exists since the
plaintiff consented to the publishing of his photograph in a national magazine prior
to publication); Thayer v. Worcester Post Co., 187 N.E. 292, 294 (Mass. 1933)
(holding that there was no invasion of privacy when a picture, which the plaintiff
had no rights in, was excerpted and published in a newspaper).
146. MASS . GEN. LAWS ch. 214, § 1B (2000).
147. See id. § 3A. Appropriation has been defined as the “exploitation of
another’s identity for one’s own advantage.” WILLIAM L. PROSSER, THE LAW OF
TORTS § 804 (4th ed. 1971). The Massachusetts appropriation statute states that:
142.
143.
144.
145.
Any person whose name, portrait or picture is used within the
commonwealth for advertising purposes or for the purposes of trade
without his written consent may bring a civil action in the superior court
against the person so using his name, portrait or picture, to prevent and
restrain the use thereof; and may recover damages for any injuries
sustained by reason of such use. If the defendant shall have knowingly
used such person’s name, portrait or picture in such manner as is
prohibited or unlawful, the court, in its discretion, may award the
plaintiff treble the amount of the damages sustained by him . . . .
928
NEW ENGLAND LAW REVIEW
[Vol. 35:4
Subsequently, the more general Right of Privacy Law was enacted in
1973.148
B. Interpretation of the Massachusetts Right of Privacy Statute
The Massachusetts Right of Privacy Statute provides individuals with a
right against “unreasonable, substantial or serious interference with [their]
privacy”149 and is uniquely broad among privacy statutes. 150 However,
this phrase cannot be taken literally because it would then outlaw searches
and seizures which interfere with an individual’s privacy, yet are lawful. 151
Therefore, it may be concluded that the statute’s intention is to make
unprivileged invasions of an individual’s privacy actionable. 152 Evidently,
any interference with privacy that extends beyond what is essential under
the circumstances will be deemed unreasonable. 153 This notion indicates
that there are certain interests that compete with an individual’s right of
privacy, including freedom of expression, equality, security, governmental
effectiveness, and political involvement.154 In order to accommodate these
MASS. GEN. LAWS ch. 214, § 3A. The language of this Massachusetts appropriation
statute closely follows that of New York’s Right of Privacy Law. See Pardee,
supra note 131, at 1277. However, it seems unlikely that the Massachusetts courts
will look to New York’s right of privacy decisions for guidance because unlike
New York, Massachusetts also has a general right of privacy statute. See id.
Therefore, it is likely that Massachusetts will interpret its appropriation statute
more narrowly than New York has interpreted its similar right of privacy statute,
since Massachusetts courts may use chapter 214, section 1B “to cover many
situations which have been termed ‘appropriation’ by the New York courts.” Id.
148. MASS . GEN. LAWS ch. 214, § 1B; see also Pardee, supra note 131, at
1248-49.
149. MASS . GEN. LAWS ch. 214, § 1B. This type of interference can be
defined as that “which is offensive to a reasonable man and is without sufficient
justification.” Pardee, supra note 131, at 1276.
150. See Pardee, supra note 131, at 1251-52 n.16. It is interesting to note that
many states have supplemented other rights enumerated in their state constitutions
with a right of privacy. See, e.g., ALASKA CONST. art. I, § 22 (1972); CAL. CONST.
art. I, § 1 (1972); ILL. CONST . art. I, §§ 6, 12 (1970); MONT. CONST. art. II, § 10
(1972); S.C. C ONST. art. I, § 10 (1971); see also Pardee, supra note 131, at 125152 n.16.
151. See Pardee, supra note 131, at 1267.
152. See id.
The word “privilege” simply indicates a presumption of
reasonableness and the term “reasonableness” creates the need for a balancing test.
See id. at 1271. “The important variables in this test are the seriousness of the
interference with privacy . . . [and] the importance of the opposing public interest,
[as well as] the availability of alternative means of satisfying that interest.” See
id.
153. See id. at 1267.
154. See id.
2001]
WELD V. CVS PHARMACY, INC.
929
public interests, their importance must be weighed and balanced against
the interference with privacy. 155
Interpretation of the Massachusetts Right of Privacy Statute is
somewhat dependent upon the statute’s intended purpose.156 Some
authorities have espoused that the legislature intended to enact the statute
as it has been developed in other jurisdictions and as defined by Dean
Prosser.157 This interpretation would require that all actions for invasion
of privacy fall into one of Prosser’s four categories in order for the claim
to be adjudicated by the court.158 This view further reasons that the
Statute’s scope is a matter of judicial law, and it “empowers the courts to
adjudicate any case falling into one of Prosser’s categories.” 159 However,
there is little, if any, language in the Statute itself that supports this
interpretation.160 “[I]f the legislature intended merely to declare the
existence of a right of privacy without committing itself to any particular
theory . . . then the meaning of the statute – the breadth and application of
the right of privacy – is open to debate, and presumably to development
along wholly new lines.”161 Furthermore, the Massachusetts Courts may
prefer to interpret the Right of Privacy Statute so that it is consistent with
the decisional law of Massachusetts, and not necessarily with that of other
states.162
C. Additional Assurances in Massachusetts Law of Privacy and
Confidentiality
Presently, Massachusetts has no comprehensive laws regulating the
confidentiality and privacy of an individual’s medical records. The
current laws governing disclosure of these records only offer protection to
personal data maintained by governmental entities. 163 Consequently, these
laws fail to regulate the data kept by private organizations leaving most
types of health records vulnerable to disclosure.
See Pardee, supra note 131, at 1267.
See id. at 1252.
See id.
See id. Dean Prosser’s four proposed categories were as follows: “(1)
Intrusion into the plaintiff’s physical solitude; (2) Appropriation of the plaintiff’s
name or likeness without his consent for the defendant’s advantage; (3) Disclosure
to the public of embarrassing private facts; (4) Placing the plaintiff in a false light
in the public eye.” WILLIAM L. PROSSER, THE LAW OF TORTS §§ 804-14 (4th ed.
1971).
159. Pardee, supra note 131, at 1252.
160. See id.
161. Id.
162. See id. at 1254.
163. See infra notes 174–91 and accompanying text.
155.
156.
157.
158.
930
NEW ENGLAND LAW REVIEW
[Vol. 35:4
1. The Massachusetts Constitution and Common Law
Similar to the U.S. Constitution, the Massachusetts Constitution does
not actually contain a specific provision regarding the individual privacy
rights of its citizens.164 However, in numerous cases the Massachusetts
Supreme Judicial Court has followed the lead of the U.S. Supreme Court
by finding an implied protection of an individual’s privacy rights in
certain articles of the State Constitution. 165 The Court is able to do this by
recognizing that certain “zones of privacy” exist for every citizen, and the
government may not intrude upon these without demonstrating a
compelling state interest.166 Even if the government can show that a
164. See Barry L. Mintzer, Employee Mental Health and Other Sensitive
Records, in 1 MASSACHUSETTS CONTINUING LEGAL EDUCATION, DRAFTING
EMPLOYMENT DOCUMENTS IN MASSACHUSETTS : § 10.5.2 (Ann G. Leibowitz ed.,
1997). However, a minority of states have included express rights to privacy in
their constitutions. See, e.g., A LASKA CONST. art. I, § 22 (1972); ARIZ. CONST. art.
II, § 8 (1910); CAL. CONST. art. I, § 1 (1972); FLA. CONST. art. I, §§ 12, 23 (1982);
HAW. CONST. art. I, §§ 6, 7 (1968, 1978); ILL. CONST. art. I, §§ 6, 12 (1970); LA.
CONST. art. I, § 5 (1974); M ONT. CONST. art. II, § 10 (1972); S.C. CONST. art. I, § 10
(1971); WASH. CONST. art. I, § 7 (1889). See also Arnold, supra note 7, at 477
n.135.
165. See Mintzer, supra note 164, at § 10.5.2. The Massachusetts courts have
implied privacy rights into articles I, XIV, and XVI of the Massachuse tts
Declaration of Rights. See id. Article I declares that:
All people are born free and equal and have certain natural, essential
and unalienable rights; among which may be reckoned the right of
enjoying and defending their lives and liberties; that of acquiring,
possessing and protecting property; in fine, that of seeking and
obtaining their safety and happiness. Equality under the law shall not
be denied or abridged because of sex, race, color, creed or national
origin.
MASS. CONST. pt. 1, art. I. Individual privacy rights are also implied in article
XIV which asserts that:
Every subject has a right to be secure from all unreasonable searches,
and seizures, of his person, his houses, his papers, and all his
possessions. All warrants, therefore, are contrary to this right, if the
cause or foundation of them be not previously supported by oath or
affirmation; and if the order in the warrant to a civil officer, to make
search in suspected places, or to arrest one or more suspected persons,
or to seize their property, be not accompanied with a special designation
of the persons or objects of search, arrest, or seizure: and no warrant
ought to be issued but in cases, and with the formalities prescribed by
the laws.
MASS. CONST. pt. 1, art. XIV. These privacy rights are further implied in article
XVI which states that “[t]he liberty of the press is essential to the security of
freedom in a state: it ought not, therefore, to be restrained in this commonwealth.
The right of free speech shall not be abridged.” MASS. CONST. pt. 1, art. XVI.
166. See Mintzer, supra note 164, at § 10.5.1.
2001]
WELD V. CVS PHARMACY, INC.
931
compelling state interest exists, it must use the least intrusive method
available to achieve the legitimate public goal. 167 In following the lead of
the U.S. Supreme Court, application of the privacy rights found in the
Massachusetts Constitution is only effective when the privacy violations
are instigated by the government and appears to have no impact
whatsoever on privacy invasions initiated by private entities because
“state action” is lacking.168
A great deal of the interpretation relating to privacy that is extended to
the U.S. and Massachusetts Constitutions is borrowed from common law
theories.169 These include “torts of intrusion upon an individual’s solitude
or seclusion, and public disclosure of private facts.”170 As far back as
1912, prior to the enactment of any privacy statutes, the Massachusetts
courts discussed and considered the possibility of a common law cause of
action encompassing privacy violations.171 Privileged or confidential
communications are also recognized at common law. 172 These include
conversations between a husband and wife, and a variety of other
privileged communications which permit an individual to withhold
testimony about himself by another person. 173
2. Statutory Protection for Medical and Mental Health Records
The Massachusetts Legislature certainly has tried to protect the
confidentiality of medical and mental health records through its enactment
of a number of statutes that prevent access to such information. 174 The
See id.
See infra note 251-53 and accompanying text.
See Mintzer, supra note 164, at § 10.5.4.
Id.
See supra notes 137–44 and accompanying text.
See Mintzer, supra note 164, at § 10.5.4.
See id.
See id. § 10.6.1(a).
In the early 1970s, a Special Legislative
Commission on Privacy was formed “to investigate and study personal data
gathering, maintenance and dissemination practices in Massachusetts, asse ss their
implications on civil liberties and the rights of informational privacy and make
recommendations to rectify and prevent related problems.” SPECIAL LEGIS.
COMM’ N ON PRIVACY, SECOND INTERIM REPORT OF THE LEGIS. COMM’ N ON
PRIVACY, H.R. DOC. NO. 6106, available in Massachusetts Legislative Documents,
Vol. 6051-6199, at 7 (1975). Many other states have also enacted laws to protect
an individual’s medical information from disclosure. See ROBERT E LLIS SMITH,
COMPILATION OF S TATE AND FEDERAL PRIVACY LAWS 32, 32-36, 46-47 (1992). For
example, California, which forbids the disclosure of a patient’s medical
information unless written permission is first obtained from the patient. See id. at
32. Further, Colorado has included medical records in the state criminal theft
statute, clearly indicating that the information contained in medical records is
considered as having value under the law. See id. The Colorado Criminal Code
states that “[a]ny person who, without proper authorization, knowingly obtains a
167.
168.
169.
170.
171.
172.
173.
174.
932
NEW ENGLAND LAW REVIEW
[Vol. 35:4
Massachusetts Patients’ and Residents’ Rights Law provides privacy
rights to any records, communications, and treatment occurring in a
hospital or healthcare facility licensed by or subject to licensing by the
Commonwealth.175 Another statute provides for a psychotherapist-patient
privilege.176 This law allows a patient or their psychotherapist to refuse to
disclose any and all communications between the patient and the therapist
provided the communications were made in the course of diagnosis or
treatment of the patient’s mental or emotional condition.177 Similarly, the
Legislature has created statutes that protect the confidentiality of
communications between licensed social workers and their clients, 178 as
well as between psychologists and their clients. 179 To further protect an
medical record or medical information with the intent to appropriate [it] to his own
use or the use of another, who steals or discloses to an unauthorized person a
medical record or medical information . . . commits a theft.” Id. (citation omitted).
Minnesota has a patient’s bill of rights which requires that every consideration be
given to maintain a patient’s privacy and individuality. See id. at 34. In Nevada
patients may either personally refuse to disclose their health information or they
may forbid others from disclosing it. See id. at 35. New York recognizes
privileged communications between patients and nurses as well as between
patients and physicians. See id. Rhode Island requires organizations maintaining
medical information to implement policies which will assure privacy, and the state
of Wisconsin mandates the confidentiality of patient records with the exception of
those used in healthcare to process payments, claims, and for research. See id. at
36.
175. See MASS . GEN. LAWS ch. 111, § 70E (2000). This statute states in part
that “[e]very patient or resident of a facility shall have the right: . . . to
confidentiality of all records and communications to the extent provided by law . .
. .” Id. § 70E(b). However, there is an exception under this statute permitting
third-party payers to examine medical records in order to determine a patient’s
eligibility or entitlement to benefits, as long as the policy under which the claim is
made allows access to such records. See id. § 70E(n)(h)(4). This statute provides
that “all records relating to diagnosis, treatment, or other services provided to any
person, including a minor or incompetent,” are available to third -party payers for
inspection, copying and to aid in determining the patient’s eligibility for benefits.
Id.
176. See MASS . GEN. LAWS ch. 233, § 20B.
177. See id.
178. See id. ch. 112, § 135. This Statute prohibits a licensed social worker
from disclosing information communicated to them by their clients, unless the
client provides the social worker with written consent to do so. See id. It also
gives a social worker permission to disclose confidential communications if “the
social worker has a reasonable basis to believe that there is a clear and present
danger that the client will attempt to kill or inflict serious bodily injury against a
reasonably identified victim . . . [or himself and refuses to voluntarily accept
further suitable treatment].” Id. § 135A(c)(2).
179. See id. ch. 112, § 129A. Psychologists also have a duty to keep all
communications between themselves and their clients confidential. See id.
However, this duty is suspended if the client presents a clear and present danger to
2001]
WELD V. CVS PHARMACY, INC.
933
individual’s medical records, Massachusetts law provides that any record
of a patient’s treatment in a drug or alcohol rehabilitation facility must be
kept confidential.180 This Statute also indicates that these records may
only be made available by judicial order.181 In order for the patient to
authorize disclosure of his records at a drug rehabilitation facility, the
patient must provide the facility with written permission, including his
signature, and the disclosure must be for the patient’s benefit.182 “[The]
consent . . . [also must] state the name of the person or organization to
whom the disclosure is to be made, the specific type of information to be
disclosed, and the purpose or need for such disclosure.” 183
Additionally, the legislature has limited the right of an employer to
acquire information regarding an employee or job applicant’s treatment
for mental illness.184 An employer may not refuse to hire or discharge an
individual from employment based on the applicant or employee’s failure
to provide information regarding their prior admission to a mental health
facility, unless the request is based on a genuine occupational
requirement.185 Moreover, if the applicant or employee has been
discharged from the facility, is no longer under treatment, and can prove
that they are mentally competent to perform the job, via a psychiatrist’s
certificate, the employer may not use this information as grounds for an
adverse employment decision.186
3. The Fair Information Practices Act
The legislature has made another effort to protect the privacy of
individuals in Massachusetts with the enactment of the Fair Information
Practices Act (FIPA).187 This statute establishes the general duties of
governmental officials with regard to the use of personally-identifiable
data as well as the rights of individuals with respect to such data. 188 The
himself or to others and refuses to voluntarily accept the necessary treatment. See
id. § 129A (1)-(2).
180. See id. ch. 111E, § 18, ch. 111B, § 11.
181. See id.
182. See MASS . GEN. LAWS ch. 111E, § 18(a) (2000).
183. Id.
184. See id. ch. 151B, § 4(9A).
185. See id.
186. See id.
187. See id. ch. 66A, § 3.
188. See Donna E. Arzt, Privacy Law in Massachusetts: Territorial,
Informational and Decisional Rights, Vol. 70, #4 MASS. L. REV. 173, 182 (1985).
Personal data includes “any information concerning an individual which, because
of name, identifying number, mark or description can be readily associated with a
particular individual, and which is accessible by such name, mark, or description,
provided, however, that such information is not contained in a public record . . . .”
SPECIAL LEGIS . COMM’ N ON PRIVACY, SECOND INTERIM REPORT OF THE LEGIS.
934
NEW ENGLAND LAW REVIEW
[Vol. 35:4
law’s “purpose is to provide safeguards for the selection and use of
personal information, provide reasonable access by individuals to their
records, provide a system of registration and identification of stateoperated personal data systems and provide civil remedies for violations
of its provisions.”189
However, FIPA only protects the private records of individuals
collected by certain governmental entities. 190 Consequently, it affords no
protection to an individual’s personal records, including medical records,
which are collected and maintained by private organizations. 191
Accordingly, it fails to protect the type of individual data maintained by a
private company such as CVS, which may be inclined to disclose the
personal information contained in their pharmacy records for their own
economic benefit.
Many Massachusetts statutes require medical personnel in private
practice to maintain records and report information regarding particular
medical conditions to the Departments of Public Health or Safety. 192 The
conditions that must be reported by law include “birth defects, gunshot
wounds, venereal and other communicable diseases.” 193 These statutes do
not require the patient’s consent in order for the reporting to occur and
most of these reports are not considered public records of the agency. 194
Additionally, the statutes clearly indicate the penalties for disclosure of an
individual’s personal identity in connection with this information. 195
D. Where does Weld v. CVS Pharmacy, Inc. fit into Massachusetts Law
It is clear that the Massachusetts Legislature is immensely concerned
with privacy issues as evidenced by the myriad of legislation that has been
enacted. However, not one of these statutes directly addresses the
problem in Weld.196 It seems that the Massachusetts Right of Privacy
Statute197 with its broad language, offers the only possibility of protection
for the personal information contained in pharmacy records. By applying
the language of this statute, the court could find that when a pharmacy
COMM’ N ON PRIVACY, H.R. D OC. NO. 6106, available in Massachusetts Legislative
Documents, Vol. 6051-6199, at 12 (1975).
189. S PECIAL LEGIS . C OMM ’ N ON PRIVACY , R EPORT OF THE LEGIS . C OMM’ N ON
PRIVACY, H.R. DOC. NO. 5417, available in Massachusetts Legislative Documents,
Vol. 13, at 31 (1975).
190. See Arzt, supra note 188, at 182.
191. See id.
192. See id. at 188.
193. Id.
194. See id.
195. See id.
196. No. 98-0897F, 1999 Mass. Super. LEXIS 261, at *3 (June 1, 1999).
197. MASS . GEN. LAWS ch. 214, § 1B (2000).
2001]
WELD V. CVS PHARMACY, INC.
935
uses the prescription records of its customers to aid private companies
with marketing strategies, this constitutes an interference with those
customer’s privacy that is “unreasonable, substantial, or serious.”198
Furthermore, if the Massachusetts Legislature does not enact a law
specifically designed to protect the privacy of an individual’s prescription
and medical information, the courts have little choice other than to
safeguard these records with the more general Right of Privacy Statute. 199
When considering the expanse of the current privacy protections created
by the legislature, it could be assumed that the legislature consciously
chose not to enact specific protections for prescription information in the
possession of private entities, having determined that this information was
adequately protected by the Right of Privacy Statute or the more specific
Massachusetts Code of Regulations which includes regulations overseeing
pharmacists.200 However, the private sector would likely interpret the
absence of a specific law governing the disclosure of these records as
intentionally omitted. These private organizations would argue that the
legislature, which has so adeptly enacted legislation to protect individual
privacy, must have intentionally excluded similar protections for
pharmacy records maintained in the private sector because they deemed
such protections unnecessary. Nonetheless, this flimsy argument is
198. Id.
199. The state of Rhode Island has enacted legislation that provides specific
protections to the medical records of individuals. See R.I. GEN. LAWS § 5-37.3-4
(2000). This statute, entitled the Confidentiality of Health Care Communications
and Information Act [hereinafter the Act], “establish[es] safeguards for
maintaining the integrity of confidential health care information that relates to an
individual.” Id. § 5-37.3-2. The Act appears to accomplish this goal by requiring
a patient’s written consent whenever their confidential health care information is
released, with some important exceptions. See id. § 5-37.3-4(a). These exceptions
include: release of confidential information to other medical personnel, when
necessary for diagnosis or treatment in an emergency; to qualified personnel
conducting scientific research; to appropriate law enforcement personnel by a
healthcare provider; to third party health insurers; to the attorney or medical
liability insurance carrier of a healthcare provider; to public health authorities; for
information regarding a worker’s compensation claim; to appropriate school
authorities of disease by a healthcare provider; to a court pursuant to a subpoena;
to the central cancer registry; and to family services along several other entities
further described in the statute. See id. § 5-37.3-4(b). Entities falling under the
exceptions of the Act are not required to obtain written permission from
individuals before releasing or accessing their medical records. Also, these
exceptions do not permit disclosure of personal medical information to most
private organizations. See id. It is also important to note that the Act provides
various penalties for those who violate it. See id. § 5-37.3-4(a)(1-3). These
include actual and punitive damages, attorney’s fees, a $5000 fine or up to six
months imprisonment. See id. § 5-17.3-4(a)(1-3).
200. See MASS . R EGS . C ODE tit. 247, §§ 9.01(1-19) (1999); see also infra
notes 358-68 and accompanying text.
936
NEW ENGLAND LAW REVIEW
[Vol. 35:4
unreasonable because it assumes that the legislature has the resources to
enact laws protecting an individual’s privacy in every imaginable situation
where the potential for an inappropriate invasion exists. Therefore, until
the legislature observes that pharmacy records are inadequately protected,
it might simply assume that this information is sufficiently safeguarded
under the Right of Privacy Statute and the Massachusetts Code of
Regulations.201
In Weld, the defendant argued that there was no unreasonable,
substantial or serious interference with either plaintiffs’ privacy because
the information received by the drug manufacturers and the mailing
company was not confidential in nature.202 CVS contended that it never
provided Elensys or the drug companies with any of plaintiff Kelley’s
prescription information and that the only information disclosed to these
entities was the plaintiff’s name, address, and date of birth. 203 CVS
further reasoned that “[a]s a matter of law, such disclosures are
insufficient to give rise to a violation of G.L. c. 214, section 1B, which
proscribes only the ‘disclosure of facts about an individual that are of a
highly personal or intimate nature.’”204
However, the plaintiffs in Weld not only complained about the use of
their names, addresses, and dates of birth without their permission, “but
[also] complain[ed] that CVS’s marketing program as a whole, which
involved at least the use of Kelley’s name, address and date of birth in
conjunction with the systematic searching of customer prescription
records, constitute[d] a violation of plaintiffs’ right of privacy.”205 The
defendant used Pottle v. School Committee of Braintree206 to support his
proposition that a violation of privacy does not occur when names and
addresses alone are disclosed.207 However, the court explained that “the
issue in Pottle was factually more narrow” concerning only “whether the
disclosure of the names and addresses of public school employees fell
within the privacy exemption of the public records statute,” section 7 of
201. See MASS . R EGS . C ODE tit. 247, § 9.01 (1999).
202. See Defendant’s Memorandum in Support of the Motion for Summary
Judgment at 11, Weld v. CVS Pharmacy, Inc., 10 Mass. L. Rptr. No. 10, 217
(Mass.Super. 1999) (No. CIV. A. 98-0897F) [hereinafter Defendant’s Mem. Supp.
Summ. J.].
203. See id.
204. Id. (quoting Bratt v. International Business Machines Corp., 467 N.E.2d
126, 133-34 (1984)).
205. Weld, 1999 Mass. Super. LEXIS 261, at *14. The court hearing the
summary judgment motion asserted that the Right of Privacy statute neither
require that the private information be disclosed to the public at large, nor “rule[s]
out at least the possibility that the use of names and addresses for the purposes
involved here, might constitute a violation.” Id. (citation omitted)
206. 482 N.E.2d 813 (Mass. 1985).
207. See Weld, 1999 Mass. Super. LEXIS 261, at *11-*12.
2001]
WELD V. CVS PHARMACY, INC.
937
chapter 26 of the Massachusetts General Laws.208 The Pottle “court said
that names and addresses [were] not ‘intimate details of a highly personal
nature,’ and that ‘public employees, by virtue of their public employment,
have diminished expectations of privacy,’ so that such information could
be disclosed.”209 Conversely, in Weld, the plaintiffs did not relinquish their
expectations of privacy since they were not public employees. 210
Furthermore, the actual letters mailed included information specifically
208. Id. at *12.
209. Id. (citing Pottle v. School Comm. of Braintree, 482 N.E.2d 813, 817
(Mass. 1985)). Several other authorities cited by the defendant are also
distinguishable for various reasons from the instant case.
See Plaintiff’s
Memorandum in Opposition to Defendant’s Motion for Summary Judgment at 21,
Weld v. CVS Pharmacy, Inc., 10 Mass. L. Rptr. No. 10, 217 (Mass.Super. 1999)
(No. CIV. A. 98-0897F) [hereinafter Plaintiff’s Mem. Opp’n. Summ. J.].
“Mulgrew v. City of Taunton, [574 N.E.2d 389 (Mass. 1991)] and Folmsbee v.
Teck Tool Grinding & Supply, Inc., [630 N.E.2d 586 (Mass. 1994)] involved
disclosure of personal information that would otherwise violate the statute but that,
unlike the situation in this case, was found to be reasonable because of the
employer’s legitimate business interests.” Id. at 21 n.33. Likewise, “Schlessinger
v. Merrill Lynch, Pierce Fenner & Smith, [567 N.E.2d 912 (Mass. 1991)] held that
cold calls from securities brokers to solicit business, while annoying, did not
substantially or seriously interfere with the plaintiff’s privacy. However, that
conduct involved no disclosure of any type of personal information.” Id. (citation
omitted). Similarly, “Flesner v. Technical Communications Corporation, [575
N.E.2d 1107 (Mass. 1991)] and Canney v. City of Chelsea, 925 F.Supp. 58
(D.Mass. 1996) are distinguishable because in those cases, there was no evidence
of any private information having been disclosed.” Id. at 21 n.33. Also in
“Petsch-Schmid v. Boston Edison Company, 914 F.Supp. 697 (D.Mass. 1996), the
[c]ourt found that communications alleged to have interfered with the plaintiff’s
privacy were either privileged or authorized in connection with the plaintiffs’
employment or otherwise justified.” Id. at 21-22 n.33 (citation omitted). Finally,
there is Cort v. Bristol-Meyers Company, [431 N.E.2d 908 (Mass. 1982)], which
has a unique fact pattern that is inapplicable to the present case. See Plaintiff’s
Mem. Opp’n. Summ. J. at 22 n.33. The plaintiff-employees in Cort “complained
about personal information requested in an employer’s questionnaire; however, the
Court found no invasion of privacy, because they refused to answer the allegedly
offensive questions.” Id. (citation omitted).
210. See Weld, 1999 Mass. Super. LEXIS 261, at *12. In Doe v. Registrar of
Motor Vehicles, 528 N.E.2d 880 (Mass. App. Ct. 1988), the court addressed an
issue regarding the “availability of license applicant information such as name,
address, date of birth, social security number and height under” section 30 of
chapter 90 of the Massachusetts General Laws, and the court held that this
information was not a “public record” and that disclosure of it may “constitute an
unwarranted invasion of privacy, even though it was collected for a public
purpose.” Weld, 1999 Mass. Super. LEXIS 261, at *12-*13 (citation and footnote
omitted). Under sections 7 and 26(c) of chapter 26(c) of the Massachusetts
General Laws, any “data relating to a specifically named individual, the disclosure
of which may constitute an unwarranted invasion of . . . privacy” is excluded from
public record status. Id. at *12 n.11
938
NEW ENGLAND LAW REVIEW
[Vol. 35:4
identifying the medical condition the recipient was suffering from, 211 so it
can not accurately be maintained by CVS that only names, addresses, and
dates of birth were disclosed during this process.
The broad language of the Right of Privacy Statute provides little
guidance as to the type of behavior that would constitute an interference
with privacy, nor have the courts created a bright-line test to determine
actionable conduct under the statute.212 However, even interoffice
communications among corporate employees containing personal
information have been found by the courts to be an invasion of privacy
under the statute.213 In Bratt v. International Business Machines Corp.,214
the SJC concluded that when the personal information of an employee is
shared with co-workers, this is adequate publication to be deemed a
violation of the privacy statute.215 In Tower v. Hirschhorn,216 the SJC
similarly held that if confidential medical information is revealed to more
than one person without the patient’s consent, this act may be an invasion
of privacy.217
Likewise, the confidential prescription information that CVS disclosed
is surely among the types of personal information which the Right of
Privacy Statute protects from disclosure. 218 The violation of the plaintiffs’
privacy in Weld is even more astonishing in light of the fact that CVS
affirmatively represented to its customers that the confidentiality of their
prescription records would be preserved.219 These representations were
made in a brochure available to all CVS customers at the pharmacy
211. See Plaintiff’s Mem. Opp’n. Summ. J., supra note 209, at 21. For
example, the letter sent to plaintiff Kelley states “[I]f you have a history of heart
disease or think you may be at risk for it (for example, if you have diabetes . . .).”
Id. at 13. Kelley was targeted because he suffered from diabetes and this
information was obviously revealed in the letter CVS sent to him.
212. See id. at 18. The Supreme Judicial Court had previously “indicated
[sic] that the statute should be applied on a case-by-case basis . . . by balancing
relevant factors . . . and by considering prevailing societal values and the ability to
enter orders which are practical and capable of reasonable enforcement.” Weld,
1999 Mass. Super. LEXIS 261, at *15 (citations omitted).
213. See id. at *14 n.14 (citing Bratt v. International Business Machines
Corp., 467 N.E.2d 126, 134 n.15 (Mass. 1984)).
214. 467 N.E.2d 126 (Mass. 1984).
215. See id. at 134 n.15; Plaintiff’s Mem. Opp’n. Summ. J., supra note 209, at
18 (citation omitted).
216. 492 N.E.2d 728 (Mass. 1986).
217. See id. at 732; Plaintiff’s Mem. Opp’n. Summ. J., supra note 209, at 18
(citation omitted).
218. See Plaintiff’s Mem. Opp’n. Summ. J., supra note 209, at 21; see also,
e.g., Pressman v. Brigham Med. Group Found., Inc., 919 F.Supp. 516, 524
(D.Mass. 1996) (denying summary judgment on claim under M.G.L. ch. 214, § 1B
that the defendants reviewed the plaintiff’s medical records without permission).
219. See Plaintiff’s Mem. Opp. Summ. J., supra note 209, at 15.
2001]
WELD V. CVS PHARMACY, INC.
939
prescription counter.220 A section of the brochure entitled “Answers to
Your Questions” stated: “Q. I want my prescription kept private. Who will
have access to these records? A. The same people who have always had
access to this information: you, your CVS pharmacist and your doctor.”221
The brochure further states: “CVS has always respected the confidentiality
of the information in your prescription files and will continue to do so.” 222
At the very least, CVS failed to comply with the express promise in its
brochure, and it seems unlikely from the facts of this case that CVS
“respected the confidentiality” of their customers’ prescription
information. In actuality, CVS did the complete opposite. It used the
personal information its customers entrusted to their pharmacists to assist
drug manufacturers with their marketing programs.
Furthermore, CVS’s argument that its conduct does not constitute a
breach of the plaintiffs’ privacy because the information was given to it
voluntarily by the plaintiffs 223 is absurd since it is virtually impossible for
an individual to legally obtain prescription medication without turning his
prescription over to a pharmacist. In Alberts v. Devine,224 the SJC
recognized that patients have a legitimate interest in maintaining the
confidentiality of medical facts and that this confidentiality is “a cardinal
rule of the medical profession, faithfully adhered to, . . . and . . . justifiably
relied upon by patients seeking advice and treatment.” 225 The SJC
reasoned that public policy favored safeguarding the right of patients to
confidentiality.226 Accordingly, patients have the same expectation of and
interest in privacy in their medical records, regardless of whether these
records are maintained in hospital files, physician’s notes or as part of a
prescription.227
Another possible solution to the problem in Weld, would be for CVS
and other pharmacies to distribute a consent form to their customers when
they fill their prescriptions.228 This document would provide pharmacy
customers with the opportunity to indicate to the pharmacy whether or not
they are interested in receiving patient education materials. 229 If the
customer wishes to receive this additional information, they can provide
220.
221.
222.
223.
224.
225.
See id.
Id.
Id.
See Defendant’s Mem. Supp. Summ. J., supra note 202, at 16.
479 N.E.2d 113 (Mass. 1985).
Id. at 119 (citing MacDonald v. Clinger, 84 A.D.2d 482, 483 (N.Y.
1982)).
226.
227.
228.
229.
See
See
See
See
id.
Plaintiff’s Mem. Opp’n. Summ. J., supra note 209, at 23.
Rubinstein, supra note 36, at 229 n.208.
id.
940
NEW ENGLAND LAW REVIEW
[Vol. 35:4
their authorization on the form. 230 If they have no interest in this
literature, they may decline, and thus avoid receiving any marketing
materials from the pharmacy and its partners. 231 Accordingly, the
customer’s privacy will be protected from invasion since their personal
prescription information will not be used for any targeted mailings.
Notably, the controversy with Weld is not the actual harm caused by
sending out letters, but the potential for much greater harm if these types
of mailing lists fall into the wrong hands. 232 These types of practices tend
to blur the lines between marketing and medicine,233 giving the public a
negative perception of the pharmaceutical industry’s use of data. 234 This
perception tends to limit the industry’s ability to access the type of patient
information critical to research, drug development, post-marketing
surveys, and educational efforts.235 Likewise, if laws are enacted that
impinge on the health care industry’s effectiveness, patients will suffer
and health care costs will rise.236
IV. THE RIGHT OF PRIVACY UNDER FEDERAL LAW
There are presently no comprehensive federal laws regulating the
confidentiality and privacy of an individual’s medical records. 237 The law
governing the privacy of these records consists of a patchwork of state and
federal laws which leave most types of health records vulnerable to
disclosure.238 The health records with the fewest “legal assurances of
confidentiality” are those ordinary medical records of individuals
collected and maintained by the private sector. 239 These records often
230. See id.
231. See id.
232. See Paul Starr, Electronic Medical Information: Privacy, Liability, &
Quality Issues, 25 AM. J.L. & MED. 193, 197-98 (1999).
233. See Henry L. Davis, An Invasion of My Privacy . . . . Blues Members
Upset by Name Sharing, BUFFALO NEWS, Sept. 5, 1999, at A1.
234. See Glenna Crooks, Patient Privacy vs. Pharmacy Compliance: Health
Care Values Collide, PHARMACEUTICAL EXECUTIVE, Vol. 19, Issue 4 (April 1,
1999).
235. See id.
236. See id.
237. See Turkington & Allen, supra note 125.
238. See id. at 223-24.
239. Richard C. Turkington, Medical Record Confidentiality Law, Scientific
Research, and Data Collection in the Information Age, 25 JOURNAL OF LAW,
MEDICINE & ETHICS 113, 119 (1997). Most confidentiality law is characterized by
a caste system of protecting records. See id. The more intimate and highly
personal the health record the stronger the privacy protections. See id. Therefore
drug, alcohol, and mental health treatment records along with records of an
individual’s HIV status receive the most privacy protection. See id. General
health records maintained by government agencies are lower in the caste, but are
still given some legal assurances of privacy and confidentiality. See id. In fact,
2001]
WELD V. CVS PHARMACY, INC.
941
include general releases authorizing the recipient of the information to
further disclose individual medical information for any legal reason and
are not unusual in third-party payer and insurance contracts.240 These
comprehensive releases lead to the patient losing privacy and
confidentiality since they permit medical information to be re-disclosed
for uses aside from actual treatment by a medical professional. 241
A. Current Federal Privacy Protections
1. The U.S. Constitution
The U.S. Constitution does not expressly entitle individuals to a right of
privacy,242 although the “right to be let alone” has long been recognized. 243
The right of privacy implicitly recognized in the Constitution has several
aspects.244 Foremost, individuals have the right to make particular
personal decisions without having the government interfere.245 These
choices may include decisions relating to marriage, procreation, child
bearing, child rearing, and various familial relationships. 246 Additionally,
these records “are protected by privacy acts, by privacy and medical records
exemptions in freedom of information and privacy acts, and by some fair
information practices acts. They also enjoy a degree of constitutional protection.”
Id.
240. See id.
241. See id.; see also Paul M. Schwartz, The Protection of Privacy in Health
Care Reform, 48 VAND. L. REV. 295 (1995) (discussing privacy and data
processing issues in health reform). See generally Gostin, supra note 16, at 480;
Richard C. Turkington, Legal Protection for the Confidentiality of Health Care
Information in Pennsylvania: Patient and Client Access; Testimonial Privilege;
Damage Recovery for Unauthorized Extra-Legal Disclosure, 31 VILL. L. REV. 259
(1987) (discussing the various laws involving the confidentiality of health
records).
242. See Jonathan Brant, A General Introduction to Privacy, 61 MASS . L.Q.
10, 11 (1976).
243. Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J.,
dissenting).
244. See Arnold, supra note 7, at 472.
245. See id. In Roe v. Wade, 410 U.S. 113 (1973), the right to privacy was
expanded to include abortions affording individuals greater privacy protection in
reproductive matters. See Rubinstein, supra note 36, at 206 n.24. Furthermore, in
Eisenstadt v. Baird, 405 U.S. 438 (1972), the right to privacy was recognized as
belonging to the individuals in a marital relationship and not just to the marital
relationship itself. See id. Finally in Griswold v. Connecticut, 381 U.S. 479
(1965), the U.S. Supreme Court acknowledged the existence of privacy rights
allowing married couples to control decisions in reproductive matters. See id.
246. See Arnold, supra note 7, at 472 n.97 (citing Roe v. Wade, 410 U.S. 113,
153 (1973), Doe v. Bolton, 410 U.S. 179, 192 (1973) (finding that the right of
privacy can extend to protect a woman’s choice to end a pregnancy); Eisenstadt v.
Baird, 405 U.S. 438, 453 (1972); Griswold v. Connecticut, 381 U.S. 479, 485-86
942
NEW ENGLAND LAW REVIEW
[Vol. 35:4
“disclosure privacy,” which refers to an individual’s ability to control the
time, place and manner in which private information is revealed to others,
protects an individual’s right to not have his private affairs made public by
the government.247 Furthermore, the tradition of civil rights in the U.S.
prevents the government from forcing “disclosure of certain aspects of
private life, especially where relationships based on trust and
confidentiality are involved.”248 The U.S. Constitution also prohibits the
government from surveillance of and intrusion into the private lives of
individuals.249
However, most of these protections are only actionable when the
government is involved in the privacy intrusion. 250 Generally, the privacy
rights contained in the Constitution will only protect an individual from
governmental privacy invasions and not from those by private groups or
individuals.251 Unfortunately, “the overwhelming majority of . . . medical
information in the United States is . . . in the hands of the [private sector],
. . . such . . . as non-governmental doctors and hospitals, and insurance
companies.”252 Private entities such as these are highly unlikely to meet
the tests necessary to establish state action and, therefore, individuals
whose privacy is invaded by such organizations will not be protected
under constitutional law.253
Even though many feel they have a right to keep their medical records
private, the Supreme Court has been hesitant to acknowledge this. 254 In
Whalen v. Roe,255 the Supreme Court addressed the issue of whether the
State of New York could maintain, in a centralized database, the names
and addresses of individuals filling prescriptions for certain dangerous
(1965) (holding that contraceptives are included in the right of privacy); Pierce v.
Society of Sisters, 268 U.S. 510, 534-35 (1925); Meyer v. Nebraska, 262 U.S. 390,
399 (1923) (deciding that the Constitution protects an individual’s freedom to
make decisions involving matters of child rearing)).
247. See Arnold, supra note 7, at 472.
248. Id.
249. See id. at 473. “The Fourth Amendment’s prohibition against
unreasonable searches and seizures restrains government access to info rmation that
the individual reasonably expects to be kept private. This protects both paper
documents and electronic signals.” Id. (footnotes omitted).
250. See S CHWARTZ & R EIDENBERG , supra note 123, at 172.
251. See id. This limitation is expressed in Constitutional law by the “state
action” doctrine. See id. “Before constitutional rights can be relied upon, the state
action doctrine requires action by the government itself or a close nexus between
the government and the behavior of the private entity that has infringed [upon] the
right.” Id.
252. Id.
253. See id.
254. See Rubinstein, supra note 36, at 207.
255. 429 U.S. 589 (1977).
2001]
WELD V. CVS PHARMACY, INC.
943
medications which are available through both legal and illegal channels. 256
The Court decided that since the statute was an “orderly and rational
legislative decision, . . . the legislature’s enactment of the patientidentification requirement was a reasonable exercise of New York’s broad
police powers,” which was necessary to “minimize the misuse of
dangerous drugs” and to control their distribution. 257
The Supreme Court indicated that even though the case law contained
informational privacy rights prohibiting the “disclosure of personal
matters” and protecting the independence in decision-making,258 New
York’s procedure for data collection did not infringe upon either of these
two interests.259 The Court reasoned that the state’s security measures in
collecting and maintaining a patient’s personal medical data were
adequately designed to insure protection from public disclosure. 260 The
Court further stated that the New York statute did not interfere with the
patient’s decision-making since “the decision to prescribe, or to use”
remained within the control of the doctor and the patient. 261
Although Whalen has the potential to be a key component in data
privacy law, it has failed to produce strong federal protections for medical
privacy.262 Many lower courts have applied the first Whalen interest of
256.
257.
258.
259.
See id. at 591.
Id. at 597-98.
Id. at 599-600.
See id. at 600. The Court noted that:
[The private information that must be disclosed under the statute is not]
meaningfully distinguishable from a host of other unpleasant invasions
of privacy that are associated with many facets of health care.
Unquestionably, some individuals’ concern for their own privacy may
lead them to avoid or to postpone needed medical attention.
Nevertheless, disclosures of private medical information to doctors, to
hospital personnel, to insurance companies and to public health
agencies are often an essential part of modern medical practice even
when the disclosure may reflect unfavorably on the character of the
patient. Requiring such disclosures to representatives of the State
having responsibility for the health of the community, does not
automatically amount to an impermissible invasion of privacy.
Id. at 602.
260. See Whalen v. Roe, 429 U.S. 589, 601 (1977).
261. Id. at 603.
262. See S CHWARTZ & R EIDENBERG , supra note 123, at 174; see also Doe v.
Southeastern Penn. Transp. Auth., 72 F.3d 1133, 1137-38, 1143 (3d Cir. 1995)
(finding that the privacy protection granted in Whalen to an individual’s medical
records should be expanded to include prescription records since “[i]t is now
possible from looking at an individual’s prescription records to determine that
person’s illnesses, or even to ascertain such private facts as whether a woman is
attempting to conceive a child through the use of fertility drugs;” and further
stating that “a self-insured employer’s need for access to employee prescription
records under its health insurance plan, when the information disclosed is only for
944
NEW ENGLAND LAW REVIEW
[Vol. 35:4
“nondisclosure” to “governmental attempts to obtain or examine
[individual] medical information,” but have been inconsistent in their
application.263
Some of these courts have interpreted Whalen as
authorizing all legitimate requests for medical data by the government,
while others have allowed the “nondisclosure interest” to apply only to a
limited group of fundamental constitutional rights, thus restricting the
government’s access to some medical data. 264 Any further interpretation
of the second Whalen interest of “autonomy in decision-making” has been
almost completely absent from subsequent decisions similar to Whalen.265
The due process clause of the Fourteenth Amendment can be violated if
an individual’s medical information is disclosed without consent. 266 This
amendment recognizes as a liberty interest an individual’s freedom to care
for his or her health.267 The release of private medical information can
also impact a person’s property interest in his reputation. 268 Therefore, the
the purpose of monitoring the plans by those with a need to know, outweighs an
employee’s interest in keeping his prescription drug purchases confidential”
because the intrusion is trivial); Doe v. Borough of Barrington, 729 F. Supp. 376,
384-85 (D.N.J. 1990) (holding that “[d]isclosures about AIDS cause a violation of
the family’s privacy much greater than simply revealing any other aspect of their
family medical history,” and recognizing that an individual’s “privacy interest in
[their] exposure to the AIDS virus is even greater than [their] privacy interest in
ordinary medical records because of the stigma that attaches with the disease”);
United States v. Westinghouse Elec. Corp., 638 F.2d 570, 580 (3d Cir. 1980)
(holding “that the strong public interest in facilitating the research and
investigations of [the National Institute for Occupational Safety and Health
(NIOSH)] justify . . . minimal intrusion into the privacy which surrounds [the
medical records of Westinghouse employees], and that Westinghouse is not
justified in its blanket refusal to give NIOSH access to them”); United States v.
Acklen, 690 F.2d 70, 75 (6th Cir. 1982) (concluding that “the pharmaceutical
industry . . . is a pervasively regulated industry and that consequently pharmacists
and distributors subject to the Controlled Substances Act have a reduced
expectation of privacy in the records kept in compliance with the Act,” and under
certain circumstances the government may inspect these records by obtaining only
an administrative inspection warrant and not a search warrant); Stone v. City of
Stow, 593 N.E.2d 294, 300-01 (Ohio 1992) (finding that “[s]ince a pharmacy is a
pervasively regulated business, the ‘administrative search’ exception to the
warrant requirement applies [leaving the] pharmacist [with] a reduced expectation
of privacy in the prescription records he or she keeps”).
263. S CHWARTZ & R EIDENBERG , supra note 123, at 174; see also, e.g., Mann
v. University of Cincinnati, 824 F. Supp. 1190 (S.D. Ohio 1993); Doe v. Borough
of Barrington, 729 F. Supp. 376 (D.N.J. 1990).
264. See S CHWARTZ & R EIDENBERG , supra note 123, at 174-75; see also, e.g.,
Walls v. City of Petersburg, 895 F.2d 188 (4th Cir. 1990).
265. See S CHWARTZ & R EIDENBERG , supra note 123, at 175.
266. See Arnold, supra note 7, at 473.
267. See id.
268. See id. (citing Whalen v. Roe, 429 U.S. 589, 599-600 (1977) (finding
that individuals have a protected privacy interest in avoiding disclosure of private
2001]
WELD V. CVS PHARMACY, INC.
945
collection and maintenance of medical information implicates procedural
due process concerns as well.269 However, this amendment does not
provide an absolute right of privacy for a person’s health records.270 The
state need only demonstrate a compelling interest in order to justify
regulation of protected rights.271 “For example, public health concerns can
outweigh the private interest in avoiding disclosure of individual disease;
prescription data can be seized to monitor possible drug abuse; and a
national health care program . . . may proscribe the individual’s ability to
make . . . decisions concerning health care.”272
Although CVS and drug manufacturers may not be able to show a
compelling interest in having private health data disclosed, this is
presently of no consequence because the protections of the U.S.
Constitution are only applicable when government action is involved. 273
As a result, individuals are not protected from the invasive actions of the
private sector.274 When individual privacy is invaded by private entities,
the Constitution offers no assistance.275
2. Federal Statutory Protections
Federal statutory provisions have also failed to adequately support the
limited constitutional safeguards for medical privacy, 276 and as the use of
computer technology grows, so does the abuse of an individual’s privacy
interest in their medical records.277 One specific federal regulation of
prescription records was provided by the Omnibus Budget Reconciliation
Act of 1990278 (OBRA), which transformed the pharmacist’s role. 279
OBRA placed responsibility on all states to create laws requiring
pharmacists to take on particular legal responsibilities. 280 These minimum
standards set in OBRA are used by the federal government as a Medicaid
information). But see Paul v. Davis, 424 U.S. 693, 712-13 (1976) (holding that
state tort law protects an individual’s interest in their reputation unless it affects a
substantial interest such as employment, which would then be considered a
deprivation of a liberty or property interest)).
269. See Arnold, supra note 7, at 473.
270. See id. at 474.
271. See id.
272. Id.
273. See S CHWARTZ & R EIDENBERG , supra note 123, at 172.
274. See id.
275. See id.
276. See id. at 175.
277. See Arnold, supra note 7, at 474.
278. 42 U.S.C. § 1396r-8 (1994 & Supp. IV 1999).
279. See Brenda Jones Quick, The Cost of the Omnibus Budget Reconciliation
Act of 1990, 2 OHIO N.U. J. OF PHARMACY & L. 145, 145 (1994).
280. See id.
946
NEW ENGLAND LAW REVIEW
[Vol. 35:4
funding mechanism.281 Under this statute, pharmacists must try to obtain
personal data on each patient, including their medical history, 282 and must
counsel their patients on certain designated matters. 283 Furthermore, they
must also create patient profiles which should include the state of the
patient’s disease in addition to notations made by the pharmacists. 284 In
addition to OBRA, many state legislatures have extended the pharmacist’s
authority to include the initiation and adjustment of a patient’s drug
therapy and the ordering of laboratory testing. 285 This extension is
supported by both the federal and states’ legislatures’ beliefs that
appropriate medication use by patients will significantly reduce the cost of
healthcare.286 Enlargement of the pharmacist’s authority along with the
ability to access all relevant information will result in better informed
pharmacists who can provide superior treatment. 287
Although OBRA may help to reduce some healthcare costs, its drafters
failed to consider that many people view their medical information with
exceeding sensitivity, requiring a heightened level of privacy. 288 This is
particularly true since the statute fails to give patients any legal guarantees
that their pharmacy records will remain confidential and will not be
disclosed without their consent some time in the future. 289
Not
surprisingly, patients are often hesitant to disclose information with
281. See Berger, supra note 23, at 140.
282. See 42 U.S.C. § 1396r-8 (g)(2)(A)(ii)(II) (1994 & Supp. IV 1999).
283. See id. § 1396r-8 (g)(2)(A)(ii)(I). The following information assists
pharmacists with the required counseling:
(aa)
The name and description of the medication.
(bb)
The route, dosage form, dosage, route of administration, and
duration of drug therapy.
(cc)
Special directions and precautions for preparation, administration and use by the patient.
(dd)
Common severe side or adverse effects or interactions and
therapeutic contraindications that may be encountered, including their
avoidance, and the action required if they occur.
(ee)
Techniques for self-monitoring drug therapy.
(ff)
Proper storage.
(gg)
Prescription refill information.
(hh)
Action to be taken in the event of a missed dose.
Id.
See Berger, supra note 23, at 140.
See id.
See id.
See id.
See Quick, supra note 279, at 160-61.
See id. An Ohio court ruled that a “statutory and regulatory program
allowing officers and pharmacy board agents to inspect records withstands
constitutional scrutiny” because patients had no legitimate privacy expectatio n.
See Stone v. Stow, 593 N.E.2d 294, 297 (Ohio 1992).
284.
285.
286.
287.
288.
289.
2001]
WELD V. CVS PHARMACY, INC.
947
pharmacists that they wish to keep private. 290 It is clear that once
individuals discover the lack of legislation protecting the confidentiality of
their pharmacy records and communications with their pharmacist, there
could be a “chilling effect on the pharmacist’s efforts to collect the data . .
. [needed] to provide proper counseling as required by OBRA.”291
However, through the enactment of regulations guaranteeing patients
some degree of confidentiality with regard to their pharmacy records and
communications with their pharmacist, Congress could ameliorate this
statutory deficiency.292
Congress provided more general privacy protections with its enactment
of the Privacy Act293 and the Freedom of Information Act (FOIA), 294 both
of which were created to protect individuals from covert government
control of private information.295 These laws promote protection of
confidential information, yet also allow access to it. 296 The Privacy Act is
presumed to give individuals control over the use and collection of private
information by the federal government.297 When agencies gather data on
individuals, this statute requires them to give notification that the data is
being collected, to explain the purpose for which the data is being
collected, and to inform the individuals as to voluntary or mandatory
nature of the disclosure.298 The Freedom of Information Act makes
executive branch records available to any member of the public, unless the
records fall within at least one of nine exemptions. 299 One of these
exemptions includes “personnel and medical files and similar files the
disclosure of which would constitute a clearly unwarranted invasion of
personal privacy.”300 “Congress enunciated . . . [that this particular
exemption requires] the balancing of private and public interests.” 301
With regard to medical information, the Privacy Act and FOIA “apply
to federal institutions and to Medicare and Medicaid programs [sustained]
by a federal agency.”302 The Privacy Act is also applicable to insurance
companies participating in the Medicare program and to hospitals
See Quick, supra note 279, at 161.
Id.
See id.
See 5 U.S.C. § 552a (1994).
See id.
See Arnold, supra note 7, at 475.
See id.
See id.
See id.; see also 5 U.S.C. § 552a (e)(3) (1994).
See 5 U.S.C. § 552(b).
Id. § 552 (b)(6).
Department of the Air Force v. Rose, 425 U.S. 352, 373 (1976).
Arnold, supra note 7, at 475 (citing HERMAN SCHUCHMAN
CONFIDENTIALITY OF HEALTH RECORDS 67 (1982)).
290.
291.
292.
293.
294.
295.
296.
297.
298.
299.
300.
301.
302.
ET AL.,
948
NEW ENGLAND LAW REVIEW
[Vol. 35:4
possessing a government agency contract to maintain medical records.303
However, if a private entity does not participate in a program administered
by the federal government, the safeguards offered to individual medical
records by these acts are immaterial since the protections solely apply to
information maintained and controlled by the federal government. 304
The Americans with Disabilities Act (ADA) 305 is another federal statute
that attempts, in part, to protect individual medical records. 306 The ADA’s
purpose is to prevent employers from using an employee or job applicant’s
health as a consideration in making employment decisions. 307 However,
this law has not been able to offer much protection because it is very
difficult for most job applicants to prove that their health information was
a factor in the employment decision.308 The Age Discrimination in
Employment Act309 has proven to be even less helpful.310 This statute
forbids the use of age as a consideration in making hiring and firing
decisions, however, it does not protect individuals who are adversely
affected by such employment decisions resulting from the consideration of
medical information.311
Employers today possess a great deal of medical information about their
employees.312 The Employment Retirement Income Security Act of 1974
(ERISA) allows many employers to self-insure, and through the process of
utilization review, in addition to claims processing and auditing,
employers have significant contact with the private medical information of
employees.313 Furthermore, a self-insured employer may rewrite his
303. See Arnold, supra note 7, at 475; 5 U.S.C. § 552a (m)(1) (1994 & Supp.
IV 1999).
See Arnold, supra note 7, at 475.
42. U.S.C. § 12101 (1990).
See SCHWARTZ & REIDENBERG , supra note 123, at 177.
See id.
See id.
29 U.S.C. § 621 (b) (1994 & Supp. IV 1999).
See SCHWARTZ & REIDENBERG , supra note 123, at 177.
See id. An individual’s medical information is best protected in the
United States when treatment is received from a federally funded substance abuse
clinic or a facility subject to federal regulation. See id. at 177-78. This is because
the laws in this area provide for outstanding data protection. See id. at 177. The
goal of these laws is to encourage participation in drug and alcohol treatment
programs, thus, the confidentiality of the programs is very structured. See id.
312. See Rubinstein, supra note 36, at 210.
313. See id. In Doe v. Southeastern Pennsylvania Transportation Auth., 72
F.3d 1133 (3d Cir. 1995), the plaintiff sued his employer when his identity
appeared in a utilization report linked with his prescription for zidovudine, a drug
used to treat HIV, and subsequently the plaintiff’s supervisor revealed the
plaintiff’s HIV status to other employees. See id. at 1135-37; Rubinstein, supra
note 36, at 210 n.56. The plaintiff prevailed at trial, but his $125,000 award was
overturned on appeal because the court reasoned that the employer’s interest in the
304.
305.
306.
307.
308.
309.
310.
311.
2001]
WELD V. CVS PHARMACY, INC.
949
health plan excluding high-cost illnesses, after having collected
information about high-cost employees plagued by these costly
sicknesses.314 The ADA offers no protection to the employee under these
circumstances because “[d]iscrimination in health benefits is permissible
under the ADA so long as it is based on valid actuarial principles and is
not a subterfuge for disability discrimination.”315
B. Proposed Federal Legislation
Three bills have been introduced in the U.S. Senate with the intent of
protecting the confidentiality and privacy of medical records. 316 The first
is sponsored by Senator Patrick Leahy (D-Vt.) and is called the Medical
Information Privacy and Security Act (Leahy bill). 317 The second is the
Health Care Personal Information Non-Disclosure Act (Jeffords bill),
which is sponsored by the Senate Health, Education, Labor and Pensions
Committee Chairman James Jeffords (R-Vt.) and Senator Christopher
Dodd (D-Ct.).318 The third bill was introduced by Senator Robert Bennett
(R-Utah) and is entitled the Medical Information Protection Act of 1999
(Bennett bill).319
These three bills have many similarities, including a finding by
Congress that individuals are entitled to confidentiality of their protected
medical and health related records and empowering patients to copy,
examine and modify their records.320 Furthermore, they require that
organizations maintaining this type of information provide notice to
consumers detailing the organization’s purpose for using and disclosing
data, explaining their confidentiality practices, and notifying consumers of
plaintiff’s pharmacy information outweighed the “minimal intrusion” into the
plaintiff’s privacy. See id. at 1135, 1143; Rubinstein, supra note 36, at 210 n.56.
314. See generally McGann v. H & H Music Co., 946 F.2d 401 (5th Cir.
1991).
315. GENETIC S ECRETS : P ROTECTING P RIVACY AND C ONFIDENTIALITY IN THE
GENETIC ERA 295 (Mark A. Rothstein, ed. 1997).
316. See Rubinstein, supra note 36, at 219.
317. See id. (citing H.R. 1057, 106th Cong., 1st Sess. (1999)). Representative
Edward Markey (D-Ma.) introduced the House companion bill. See id. at 219
n.113.
318. See id. at 219 (citing S. 578, 106th Cong., 1st Sess. (1999)). Senator
Dodd hopes that this bill will represent a sensible middle ground in all of the
proposals previously offered to Congress. See id.
319. See id. (citing S. 881, 106th Cong., 1st Sess. (1999)) This bill is
generally favored by the data user community and has been endorsed by forty-four
organizations “including the American Association of Health Plans, the Health
Insurance Association of America, the Association of American Medical Colleges,
the American Hospital Association and the Pharmaceutical Research and
Manufacturers Association.” Id.
320. See id.
950
NEW ENGLAND LAW REVIEW
[Vol. 35:4
their privilege to access and modify their records. 321 Facilities that house
protected medical information and records are required by all three bills to
create procedures, policies, and safeguards to ensure the security of these
files.322 Also, if an individual’s privacy rights are violated, “all provide a
broad array of enforcement mechanisms” against the violators. 323
Not surprisingly, these three bills also contain many disparities. 324
Nonidentifiable health information is exempted from coverage in all of the
bills, nonetheless the definition of this term varies in each. 325 The Leahy
bill “requires that ‘all personal identifiers . . . have been removed and a
good faith effort to evaluate the risks of re-identification has been
made.’”326 The Jeffords bill stipulates that “the information ‘does not
directly reveal the identity of the individual . . . and there is no reasonable
basis to believe that such information could be used, either alone or with
other information . . . to reveal the identity of the individual.’” 327
Information is excluded by the Bennett bill “‘from which personal
identifiers that directly reveal the identity of the individual . . . or provide
a direct means of identifying the individual (such as name, address and
social security number) have been removed, encrypted or replaced with a
code, such that the identity of the individual is not evident.’” 328 It is likely
that this provision will be considered insufficient by groups who argue
that it is possible to identify individuals by deciphering encrypted data and
connecting it with public information.329
These three bills also approach consent issues in substantially different
ways.330 According to the Jeffords bill, providers and payers may demand
“that patients consent to disclosure of their medical information for
treatment, payment and ‘health care operations’ purposes as a condition of
321. See id.
322. See Rubinstein, supra note 36, at 219.
323. Id. These enforcement mechanisms “include civil and criminal sanctions
for wrongful disclosure.” Id. at 219 n.122.
324. See id. at 220.
325. See id.
326. Id. (citation omitted).
327. Id. at 220 (citation omitted).
328. Rubinstein, supra note 36, at 220 (citation omitted). The interpretation
of this passage from the Bennett bill will likely hinge on the definition of
“evident” being applied. See id.
329. See id. “The obsession of some privacy advocates with the possibility
that encrypted or anonymized data will be turned into identifiable data and be
publicly released injects a red herring into the privacy debate.” Id. at 229.
Although “it may be possible, in theory, for a medical or health policy researcher
to identify a data subject from anonymized data, institutional norms already create
a substantial disincentive for the researchers to do so.” Id.
330. See id. at 220.
2001]
WELD V. CVS PHARMACY, INC.
951
receiving service.”331 Similarly, the Bennett bill provides that all
individuals participating in health insurance programs sponsored by their
employer or in individual health plans must provide, as a condition of
participation, a blanket consent which authorizes use of protected medical
information for payment, treatment, and health care operations. 332
However, the Leahy bill with its narrower view, permits payers and
providers to condition a patient’s procurement of medical services on the
patient’s consent to disclose their information for payment and treatment
purposes, omitting the requirement that a patient consents to disclosure for
“health care operations” purposes.333
These bills all forbid the
withholding of services by payers and providers from patients who did not
consent to disclosure of their medical information for marketing
purposes.334 Moreover, each addresses the use of identified medical
information for the purpose of health research without the individual’s
consent.335
Preemption is another issue causing significant discord between the
opponents and proponents of these bills. 336 This “debate involves the
331. Id. (citation omitted). Healthcare operations are defined as “act ivities
that implement a health benefits contract or those that are part of the management
function of health plans and service providers.” Id. Some examples of these
functions are “quality assurance, outcomes research, accreditation, licensing,
analysis of claims and medical records, utilization review, underwriting, [and]
auditing.” Id.
332. See id.
333. See id.; see also supra note 331 (defining healthcare operations).
334. See Rubinstein, supra note 36, at 220.
335. See id. at 221. In the Leahy bill, organizations must first determine
whether their stated public health purpose can be achieved by using de-identified
data prior to the release of identifiable data. See id. This bill would also expand
the “Common Rule,” which currently regulates federally funded research on
human subjects to include similar research that is privately funded. See id.
Therefore, unless an institutional review board (IRB) determines that waiver of an
individual’s consent to disclose identifiable medical data is justifiable, al l
privately funded human subject research using such data will require informed
consent by the individual research subjects. See id. The Jeffords bill “does not
extend the ‘Common Rule’ to privately funded research,” but instead “maintains
the status quo on disclosure of protected health information to health researchers
for the time being.” Id. If any of three conditions are met, the Bennett bill permits
access to identifiable medical information for research purposes. See id. First,
under the “Common Rule,” access will be allowed if the research is authorized by
an IRB. Second, “[a]ccess to health care records and medical archives may also be
granted to researchers, after review by an internal board or committee, under the
terms of a written confidentiality agreement between the organization maintaining
the records and the researcher.” Id. Third, “access to identifiable health
information may also be granted to manufacturers of drugs, medical devices and
biologics for monitoring or verifying the safety or efficacy of their products.” Id.
336. See id. at 221-22.
952
NEW ENGLAND LAW REVIEW
[Vol. 35:4
extent to which federal legislation will preempt state law.” 337 The data
users advocate that any new federal legislation regulating medical record
privacy should completely preempt all state law. 338 Conversely, the
privacy advocates argue that only less protective state law should be
preempted by the new federal legislation. 339 However, both sides agree
that a health information system cannot function effectively if it has fifty
unique sets of ground rules.340 Data users will likely be unsatisfied by the
Jeffords and Leahy bills’ treatment of the preemption issue. 341 The
Jeffords bill “protects existing state laws on medical record confidentiality
and gives the states eighteen months from the date of its enactment to
impose more restrictive regulations.” 342 States will not be permitted to
pass any new legislation for the protection of health record confidentiality
after the eighteen-month period expires.343 The Leahy bill is even more
permissive of preemption than the Jeffords bill. 344 It allows states to
legislate more restrictively than the federal government in the area of
medical information privacy and confidentiality, and they may do so at
any time.345 However, data users will most likely favor the Bennett bill
which proposes to preempt practically all state legislation regarding
“disclosure and use of identifiable health information,” making federal
regulation the last and only word on the subject. 346
C. Weld v. CVS Pharmacy, Inc. and Federal Privacy Protections
Although the current federal laws offer protection of some medical
records, it is obvious from their descriptions 347 that they fail to safeguard
the medical and prescription records of individuals from privately
operated entities such as CVS. Even the United States Constitution is
only able to offer protection to individuals whose privacy is invaded by
the government, and similar to the current federal laws fails to protect
against individual privacy violations caused by private organizations. 348
To say the least, legislation protecting individual pharmacy and medical
records from disclosure to the private sector is conspicuously absent.
337.
338.
339.
340.
341.
342.
343.
344.
345.
346.
347.
348.
Id. at 217.
See id.
See id.
See Rubinstein, supra note 36, at 217.
See id. at 221.
Id. at 222.
See id.
See id.
See id.
Rubinstein, supra note 36, at 222.
See supra notes 276–315 and accompanying text.
See supra notes 242–75 and accompanying text.
2001]
WELD V. CVS PHARMACY, INC.
953
Undoubtedly, the current legislation proposed to safeguard medical
record privacy would ease some of the concerns raised in Weld. However,
the greatest obstacle to the enactment of one of these proposed bills is the
critical requirement of compromise between data users and privacy
advocates, especially regarding the issue of preemption. All three of the
proposed bills recognize that researchers must be able to access medical
data without having to first obtain consent from each and every subject. 349
The bill proposed by Senator Bennett is the most flexible in making data
available to institutional researchers, yet it still safeguards patient privacy
interests.350 Nonetheless, as data users compare these competing bills they
may realize that consent requirements are less of a problem for them than
the preemption provisions.351
The Bennett bill proposes to preempt almost all state legislation
concerning medical record privacy, while the Jeffords and Leahy bills
both permit more restrictive legislation by the states to stand. 352
Accordingly, if the Bennett bill does not prevail, data users face the
possibility that their access to data in some states may be restricted by
more stringent state laws.353 The consequence of these laws may be
restriction on the work of doctors, researchers, health plans, and others
who are interested in improving the delivery of healthcare. 354 These
potential laws may also cause the undesired result of skewing research
conclusions, if they deprive data users of access to information concerning
key populations.355
Conversely, the preemption provisions of the Leahy and Jeffords bills
would cause the citizens of states choosing not to enact more stringent
legislation to bear any minimal privacy invasions resulting from access by
researchers to their medical records, while individuals residing in other
states would be free from this burden of disclosure. 356
Obviously, some federal protection is needed to safeguard the
confidentiality of individual medical records. Without federal legislation
in this area, individuals similarly situated to the plaintiffs in Weld will be
See Rubinstein, supra note 36, at 230.
See id.
See id.
See id.
See id.
See id.
See Rubinstein, supra note 36, at 230. Other undesirable consequences
of state medical record privacy laws that are too restrictive would include placing
researchers within the state at a competitive disadvantage in obtaining funding for
their work, deterring businesses involved in the development of medical
technology from locating in the state, and causing health plans that rely on data to
assess the cost effectiveness of medical care to restrict access to certain services or
even leave the state altogether. See id. at 230 n.213.
356. See id. at 230.
349.
350.
351.
352.
353.
354.
355.
954
NEW ENGLAND LAW REVIEW
[Vol. 35:4
forced to rely on the protections provided, or not provided, by the state in
which they or their medical records reside. However, if the nation as a
whole is to benefit from the work of data users and researchers, it seems
only right that minimal burdens on individual privacy interests be spread
among all citizens of the United States, and this can only be achieved by
the enactment of certain minimum federal safeguards.357
V. LAWS REGARDING PHARMACISTS
A. Massachusetts Laws Governing Pharmacists
There is definitely no lack of legislation in Massachusetts overseeing
the practice of pharmacy. The state has several requirements and
expectations for pharmacists practicing in the Commonwealth which are
detailed in a specific set of rules classified in the Code of Massachusetts
Regulations under the Board of Registration in Pharmacy 358 as well as in
the Massachusetts General Laws.359 The regulations most relevant to the
present topic are those requiring pharmacists to maintain the
confidentiality of communications between themselves and their patients
while also keeping those patients’ records private. 360 The first and most
definitive regulation in this area indicates that:
357. See id.
358. See MASS . R EGS . C ODE tit. 247, § 9.00 (1999). Some of these provisions
require that pharmacists always conduct their professional activities in compliance
with all regulations of the Board of Registration in Pharmacy, as well as with
municipal, state and federal law. See id. § 9.01(1). Pharmacists are also forbidden
to dispense any substance, medication or device in a manner that will either
directly or indirectly bypass or disregard the law. See id. § 9.01(2). Furthermore,
they must observe current U.S. Pharmacopoeia standards and when on duty are
responsible for all preservation, storage, and security of all drugs in the pharmacy.
See id. §§ 9.01(3), (5). Pharmacists must also maintain separate prescription files
for certain controlled substances, and these must be segregated from all other
records in the pharmacy. See id. § 9.05.
359. See, e.g., MASS . GEN. LAWS ch. 13, § 22 (2000) (covering board of
registration in pharmacy, membership, qualifications, appointment, and term);
MASS. GEN. LAWS ch. 94C, § 21A (covering prescriptions, prospective drug review
and counseling by pharmacists); MASS. GEN. LAWS ch. 112, § 24 (2000) (covering
registration of pharmacists, examination, and fees); MASS. GEN. LAWS ch. 112, §
24A (2000) (covering records, expiration of registrations, renewals, reinstatement,
and fees); MASS. GEN. LAWS ch. 112, § 61 (2000) (suspension, revocation or
cancellation of certificate, registration, license or authority by boards, student loan
defaulters, and review); and MASS. REGS. CODE tit. 247, § 9.05 (1999) (covering
prescription file maintenance).
360. See MASS . R EGS . C ODE tit. 247, § 9.01(19) (defining the code of
professional conduct for registered pharmacists, pharmacies, and pharmacy
departments); see also id. § 9.07 (regarding the maintenance of patient records,
conducting a prospective drug utilization review and patient counseling).
2001]
WELD V. CVS PHARMACY, INC.
955
A pharmacist shall maintain patient confidentiality at all times. Confidential
information shall include information maintained by the pharmacist in the
patient’s records or information which is communicated to the patient as part
of patient counseling, which is privileged and may be released only by the
patient or to those practitioners and other pharmacists where, in the
pharmacist’s professional judgment, such release is necessary to protect the
patient’s health and well being; and to such other persons or governmental
agencies authorized by law to receive such confidential information. 361
This regulation also protects the privacy of a person’s pharmacy records
by prohibiting pharmacists from participating in any acts that are
deceptive or fraudulent.362 Arguably, this language could include the
disclosure or sale of the information in individual pharmacy records to a
third party without the patient’s knowledge or consent as a deceptive act
by the pharmacist or the pharmacy. Another regulation mandates that a
patient’s pharmacy records be maintained in a confidential manner. 363 The
purpose of this rule is to improve the public’s health and welfare by
requiring pharmacists to offer their patients the opportunity to discuss any
questions and concerns they may have about their prescriptions. 364 These
consultations help to promote “optimum therapeutic outcomes, avoid
patient injury and reduce medication errors.” 365
The legislature’s
insistence that “[a] pharmacist or [the] pharmacist’s designee . . . maintain
a confidential record for all patients for whom prescriptions are
dispensed” only aids in promoting this regulation’s ultimate goal of
enhancing public health and welfare.366 The pharmacist’s offer to counsel
the patient should be made to them either in person or by telephone. 367
Id. § 9.01(19).
See id. § 9.01(6).
See id. § 9.07(1)(a).
See id. § 9.07.
Id.
See MASS. REGS. CODE tit. 247, § 9.07(1)(a) (1999). This regulation also
indicates the type of information that pharmacists should include in a patient’s
record. See id. “The patient record system shall provide for the immediate
retrieval of information necessary for the pharmacist to identify previously
dispensed drugs at the time the prescription is presented for dispensing.” Id. The
pharmacist and his assistant must also acquire, document, and maintain the
patient’s “name, address, telephone number, date of birth or age, and gender of the
patient for whom the prescription is intended.” Id. § 9.07(1)(a)(1). They must
also record “individual history, . . . drug allergies and drug reactions; . . . a
comprehensive list of medications and relevant devices dispensed by the
pharmacy; and . . . the pharmacist’s comments relevant to the patient’s drug
therapy.” Id. §§ 9.07(1)(a)(2), (3).
367. See id. § 9.07(3)(e).
361.
362.
363.
364.
365.
366.
956
NEW ENGLAND LAW REVIEW
[Vol. 35:4
The regulation also specifies that the offer to counsel can be made to an
individual acting on the patient’s behalf, but only if “confidentiality can
be maintained.”368
B. Weld v. CVS Pharmacy, Inc. and the Laws Overseeing Pharmacists in
Massachusetts
These laws clearly demonstrate the legislature’s intent to protect the
privacy and confidentiality of individual pharmacy records from
inappropriate and unauthorized disclosure. It is also indisputable that
Massachusetts law specifically recognizes that prescription records are
confidential. However, the question in Weld is whether CVS breached a
duty of confidentiality to its customers, not whether the CVS pharmacists
breached this duty. Nonetheless, it is still quite likely that CVS violated
the confidentiality and privacy of its customers.
CVS expressly maintained in a brochure that it recognized a customer’s
expectation of privacy and affirmatively represented to individuals reading
the brochure that only the customer, their doctor, and the CVS pharmacist
would have access to the customer’s prescription information maintained
by the pharmacy.369 Accordingly, it can be argued that these express
statements in the brochure created a duty of confidentiality owed by CVS
to its customers. This duty was subsequently breached by CVS when it
created mailing lists for drug manufacturers to better target particular
markets by using the confidential prescription information in its databases.
The regulation protecting pharmacist-patient confidentiality was most
likely created by the legislature with the intent of protecting individual
pharmacy records from unauthorized disclosure to third parties. 370 A
broad interpretation of this regulation could make it applicable to Weld
and fulfill this intention. Since pharmacists owe a duty of confidentiality
to their patients, it seems only logical that this confidentiality can only be
maintained successfully if the pharmacists’ employers also respect it.
Likewise, when a large drugstore chain, such as CVS, employs
pharmacists, the pharmacists alone cannot maintain prescription record
privacy. It is critical that the pharmacists receive support from their
superiors and the company itself in order to ensure that confidentiality is
maintained. If pharmacists do not receive the necessary support, they will
be faced with the choice of challenging management and company
policies or leaving their job.
These alternatives are obviously impractical for pharmacists to exercise
regularly and that is why the regulation protecting pharmacist-patient
368. Id.
369. See Plaintiff’s Mem. Opp’n. Summ. J., supra note 209, at 25.
370. See supra notes 358–68 and accompanying text.
2001]
WELD V. CVS PHARMACY, INC.
957
confidentiality should be extended to the pharmacists’ employers. In the
instant case, this extension would require CVS to maintain the same level
of privacy and confidentiality that its individual pharmacists are required
to maintain by law.
It is interesting to note that Massachusetts law also provides a code of
professional conduct for veterinarians,371 requiring that they too maintain
“a confidential relationship with . . . [their] clients . . . .”372 The fact that
the legislature decided to protect the medical record privacy of animals
would seem to indicate that protection of the privacy and confidentiality
of all medical communications and records is taken very seriously by the
Massachusetts Legislature. Accordingly, individual pharmacy records
should also receive such protection.
C. Other Rules Overseeing Pharmacists
Pharmacists and physicians also have ethical obligations which
supplement the legal protections given to medical records and
information.373 All doctors must take the Hippocratic Oath, which
requires that physician-patient communications remain confidential, and
in section 5.05 of the Principles of Medical Ethics set out by the American
Medical Association (AMA), physicians are also required to maintain
patient confidences.374 The belief behind these principles is that the most
effective treatment can only be provided when individuals feel that they
can securely divulge their personal medical information to their doctor.375
A Code of Ethics has also been created by the American Pharmaceutical
Association (APhA).376 The most relevant provisions indicate that a
371.
372.
373.
374.
See MASS. REGS. CODE tit. 256, § 7.01 (1999).
Id. § 7.01(15).
See Mowery, supra note 17, at 717.
See id. Section 5.05 of the AMA’s Principles of Medical Ethics states:
The information disclosed to a physician during the course of the
relationship between a physician and patient is confidential to the
greatest possible degree . . . . The patient should be able to make this
disclosure with the knowledge that the physician will respect the
confidential nature of the communication. The physician should not
reveal confidential communications or information without the express
consent of the patient, unless required to do so by law.
Adelman & Zahler, supra note 23, at 129, cited in Mowery, supra note 17, at 717
n. 191.
375. See Mowery, supra note 17, at 717.
376. American Pharmaceutical Association, Code of Ethics for Pharmacists
(visited May 10, 2001) <http:// www.aphanet.org/APhA/about/about.html>. The
American Pharmaceutical Association (APhA) is “the national professional society
of pharmacists . . . and is the first and largest professional association of
pharmacists in the United States.” Id. With more than 50,000 members, the APhA
958
NEW ENGLAND LAW REVIEW
[Vol. 35:4
pharmacist’s duty is to help individual patients and to maintain their trust;
pharmacists promote the patient’s welfare with compassion, caring, and
their focus is on serving their patients in a confidential manner;
pharmacists conduct their work in an honest manner and with integrity;
and a pharmacist’s primary obligation is to his individual patients. 377
However, not all states impose the APhA’s code upon pharmacists by law
as they do upon doctors with the AMA’s Principles of Medical Ethics. 378
Consequently, medical information that is protected when included in a
physician’s record may not enjoy the same protection when it is part of a
pharmacist’s record.379 Notably, neither the AMA nor the APhA’s ethical
code protects medical information that “has been disclosed to a third
party, such as a pharmaceutical company.”380
Another pharmacy association recently approved a set of privacy
provisions applicable to third parties working with pharmacies and
patients.381 These guidelines were created by the National Association of
Boards of Pharmacy (NABP) in early 1999, with the goal of providing a
model for states striving to assure that prescription records remain
confidential.382 The driving concern prompting the creation of these
measures was “that some third-party organizations – such as insurance
carriers, pharmacy benefits management companies, and marketing firms
– try to influence patients to switch their drug regimens [or attempt to
guide individuals away from a particular course of therapy, purely for
financial gain].”383 These guidelines are intended to secure the privacy of
patient-identifiable information that is being managed by patient
compliance and intervention programs in order to counteract this
conduct.384 The NABP hopes to append the final version of these
measures to the NABP Model State Pharmacy Act, which oversees the
Boards of Pharmacy of each state.385
provides pharmacists with both professional information and education, while
advocating comprehensive pharmaceutical care in order to improve th e American
public’s health. See id.
377. See id. §§ I-II, IV, VII.
378. See Mowery, supra note 17, at 717-18.
379. See id. at 718.
380. Id.
381. See Porter, supra note 101, at 98.
382. See id. The NABP is comprised of pharmacy regulators from all over
the United States. See id.
383. Id. at 98-100.
384. See id. at 100. These programs are defined by the NABP as those that
contact patients to improve their use of prescription medication, advocate
“appropriate monitoring and self-reporting of medication use; provide educational
information about the patient’s disease state; and discuss and/or affect a patient’s
therapy or choice of medication.” Id.
385. See id. at 100-02.
2001]
WELD V. CVS PHARMACY, INC.
959
These various rules and provisions do encourage healthcare
professionals to maintain the privacy and confidentiality of medical
information, and the organizations that draft them hope they will be used
by legislatures to create laws regarding professional codes of conduct.386
Nevertheless, these codes of conduct offer only suggested guidelines to
legislatures, and do not offer any support to the plaintiffs’ arguments in
Weld because they only impose ethical obligations and do not have the
force of law in all states.387
D. Duties of Confidentiality in Other Professions
The pharmacist-patient relationship is often considered a derivative of
the doctor-patient relationship, since both pharmacists and physicians
frequently work together for the patient’s benefit. 388 The doctor-patient
relationship has traditionally been highly respected. 389 Its mandate of
confidentiality is prescribed by the Hippocratic Oath, which states that
“whatsoever I shall see or hear in the course of my profession . . . if it be
what should not be published abroad, I will never divulge, holding such
things to be holy secrets.” 390 Physician-patient confidentiality helps to
enhance diagnosis and treatment and is passionately guarded by doctors. 391
This doctor-patient privilege encourages individuals to seek treatment
knowing that their personal health information will remain private. 392
Over the past two decades, “courts have imposed liability on physicians
who disclose confidential information about their patients based on a
variety of legal theories.”393 These include contract law, where a promise
is implied by the doctor not to disclose confidential information, breach of
fiduciary duty, invasion of privacy, libel, and various state licensing
386. See supra notes 381-85 and accompanying text.
387. See supra notes 373-80 and accompanying text.
388. See Joanne C. Brant, Ethical Issues and Trouble Spots, 4 OHIO N.U. J.
PHARMACY & L. 25, 28 (1995).
389. See Arnold, supra note 7, at 473.
390. Id. at 473 n.112 (citations omitted).
391. Id. at 473.
392. Id. The physician-patient privilege in Massachusetts derives from case
law since the legislature has not enacted a privilege that would apply to physicians
in the private sector. See Arzt, supra note 188, at 189; see also, e.g., Alberts v.
Devine, 479 N.E.2d 113, 120 (Mass. 1985) (holding “that a duty of confiden tiality
arises from the physician-patient relationship and that a violation of that duty,
resulting in damages, gives rise to a cause of action sounding in tort against the
physician”); Ryan v. Board of Registration in Medicine, 447 N.E.2d 662, 663
(Mass. 1983) (affirming a decision to censure a physician who disclosed a
patient’s confidential medical information).
393. See Joanne C. Brant, supra note 388, at 29.
960
NEW ENGLAND LAW REVIEW
[Vol. 35:4
laws.394 For similar reasons, many state legislatures have also provided
for a psychotherapist-patient privilege, along with creating laws that
protect the confidentiality of communications between licensed social
workers and their clients as well as between psychologists and their
clients.395
With regard to the confidentiality of the medical records maintained in a
hospital, patients have a recognized interest in the information contained
in the record, yet the hospital is still the owner of it. 396 However, the
hospital is only considered a “custodian of the information” contained in
the record and can be held liable if it improperly reveals the medical
information of its patients without proper authorization. 397 Recovery is
normally based on common law claims such as invasion of privacy,
defamation, and breach of contract, but “recovery can be difficult because
the patient must show injury in order to maintain a claim.” 398 Unless
abuse or a public hazard is suspected, patients have the right to assume
that all medical records maintained by a hospital with regard to the
patient’s care will be treated as confidential.399
Healthcare information is often maintained not only by hospitals but
also by third-party payors.400 Insurance companies may compile and share
client information, but this is a qualified privilege only allowing insurance
companies to trade the insured’s or applicant’s confidential information
for the purposes of determining eligibility or claim remuneration. 401 Most
of these informational practices by insurance companies are unregulated
by the states.402 The information possessed by insurers is often supplied to
pharmaceutical companies which receive it second-hand, and do not
always use the information for the provision of healthcare services. 403
394. See id.
395. See supra notes 176-79 and accompanying text.
396. See W ILLIAM H. R OACH, J R., ET AL., MEDICAL R ECORDS AND THE LAW 61
(1985).
397. Arnold, supra note 7, at 471. Many hospitals follow the standards set by
the Joint Commission on Accreditation of Hospitals (JCAH). See id. at 469.
These standards do not have the force of law, but wield a great deal of power since
many states accept JCAH accreditation as a basis for licensure and because
hospitals accredited by JCAH also meet the requirements to participate in the
federal Medicare program. See id. at 469-70. In addition to holding the hospital
responsible for preventing the records from being used by unauthorized
individuals, the JCAH standards illustrate the significance of ensuring that records
are secure, confidential and authentic. See id. at 470.
398. Id. at 471.
399. See Cuzmanes & Orlando, supra note 70, at 27.
400. See Mowery, supra note 17, at 716.
401. See id.
402. See id.
403. See id.
2001]
WELD V. CVS PHARMACY, INC.
961
However, state law does not obligate these types of secondary users to
maintain any degree of confidentiality. 404 “Therefore, the development of
data collectors in the private sector has occurred without regulation,
statutory guidance, or a means by which to redress privacy violations.” 405
Without a duty of confidentiality between patients and drug companies, it
is unlikely that a tort claim against a secondary user will be successful. 406
Consequently, the privacy concerns which ensue from the creation of
“large commercial databases” by secondary users are insufficiently
safeguarded by state laws.407
E. Pharmacist-Patient Privilege
Many professions have used codes of conduct or legislative action to
implement measures that protect the privacy of individuals using their
services, however, the profession of pharmacy has not been given this
indulgence.408 Attorneys, for example, are bound by a code requiring
them to maintain client confidences unless the client consents to
disclosure.409 Similarly, the records and communications that occur
between a patient and a physician are often protected by statutes as well as
case law.410
Nonetheless, pharmacists and patients are given no
guarantees that their communications are protected, with the exception of
the pharmacist’s Code of Ethics, which covers only pharmaceutical
records.411
Pharmacists are now playing significantly larger roles in the medical
treatment of patients, yet the legal status of this relationship has not
evolved to reflect its changing character. 412 Furthermore, almost all
efforts to keep pharmaceutical records out of evidence have failed because
the courts have found that these records are not entitled to the same
confidentiality protections as those maintained by doctors or the private
communications of attorneys. 413 In light of such rulings, patients may be
reluctant to reveal private information to their pharmacists and arguably
pharmacists may have a moral, if not an ethical responsibility to notify
404.
405.
406.
407.
408.
409.
410.
411.
412.
413.
See id. at 716.
Id. at 716-17.
See Mowery, supra note 17, at 717.
Id.
See Quick, supra note 279, at 160.
See id.
See id. at 160-61.
See id. at 161.
See Adelman & Zahler, supra note 23, at 139.
See Quick, supra note 279, at 161 & n.85.
962
NEW ENGLAND LAW REVIEW
[Vol. 35:4
their patients that the information in their records may become subject to
examination by others.414
Many in the professions of law and pharmacy have indicated that
communications between pharmacists and patients should be treated
similarly to those between doctors and patients. 415 “The confidential
nature of prescription records and other documents maintained by
pharmacists warrants such an extension of the statutory physician-patient
privilege to pharmacists.”416 At the very least, these records should be
given common law or constitutional protection, if their disclosure causes
an invasion of the patient’s right to privacy. 417
When pharmacists breach their duty of confidentiality, lawsuits are
uncommon or settlement is usually reached in the early stages of the
suit.418 Although some state statutes define “healthcare provider” as
including pharmacists, this is usually insufficient to permit the pharmacist
to invoke the doctor-patient privilege, and only a limited number of states
will allow this in a court proceeding. 419 However, certain similarities in
these relationships indicate that it may be appropriate for a pharmacist on
certain occasions to defend himself with the same legal theories a
physician might use.420 One such similarity is that both are protected from
civil liability, when the disclosure or testimony by the doctor or
pharmacist is required by a court order.421
Sometimes the doctor-patient privilege may be invoked to prevent
production of documents.422 However, use of the privilege can be limited
for a pharmacist or doctor since it actually belongs to the patient who may
waive it at any time.423 Therefore, if the patient does not consent to the
See id. at 161.
See Adelman & Zahler, supra note 23, at 139.
Id.
See id. at 139-40.
See Joanne C. Brant, supra note 388, at 29.
See id.
See id.
See id. However, not all disclosures are protected from civil liability
since it has been commonly held that “‘[t]here is an assumption that the physician patient privilege affects any use of the so-called confidential matter in a medical
record.’ This assumption is incorrect. The rule prohibiting the disclosure of
privileged medical communications is statutory and applies only with respect to
disclosures in judicial or quasi-judicial proceedings.” Id. at 29-30 (citation
omitted). Conversely, disclosure of information out of court may be unethical, but
does not constitute a claim under the statutes governing privileged
communications. See id. at 30.
422. See id. at 30.
423. See id. If the police were conducting an investigation, the usefulness of
this privilege can be dramatically diminished. See id. For example, if law
enforcement or state inspectors demand all prescription records dispensed by a
pharmacy over a period of several months, the privilege is virtually ineffective.
414.
415.
416.
417.
418.
419.
420.
421.
2001]
WELD V. CVS PHARMACY, INC.
963
invocation of the privilege neither the physician nor the pharmacist can
claim it.424
Historically, the holdings have been varied with regard to recognition of
a pharmacist-patient privilege,425 and many courts are reluctant to
recognize it.426 However, concerted efforts must be made to create laws
guaranteeing some level of confidentiality for a patient’s pharmaceutical
records.427 Even if the information previously included in the patient’s
prescription record is not protected, at a minimum the additional
information sought for the patient’s profile, such as personal medical
history, should receive legal privacy protections. 428 New legislation
See id. Since it is almost impossible for the pharmacist to “locate and obtain the
patient’s consent to invoke the privilege for each and every prescription dispensed
during that time period, the pharmacist’s invocation of the privilege can be quickly
overcome.” Id. This will usually lead to the pharmacist invoking the Fourth and
Fifth Amendments’ right to privacy in defending against production. See id.
Applying this defense to the pharmacists, however, has been exceedingly
problematic. See id.
424. See Joanne C. Brant, supra note 388, at 30.
425. See Adelman & Zahler, supra note 23, at 146-47; see also Nelson v.
Nederland Life Ins. Co., 81 N.W. 807 (Iowa 1900) (finding that the doctor-patient
privilege forbids a physician to testify about a patient’s prescrip tion information);
Deutschmann v. Third Ave. R.R. Co., 84 N.Y.S. 887, 894 (N.Y. App. Div. 1903)
(holding that the physician-patient privilege “does not extend to a [pharmacist]
who fills physician’s prescriptions”); Green v. Superior Court, 33 Cal. Rptr. 6 04,
607 (Cal. Dist. Ct. App. 1963) (holding that the statute establishing the physician patient privilege does not extend this privilege to communications between a
pharmacist and a patient); Rudnick v. Superior Court, 523 P.2d 643, 649 -50 (Cal.
1974) (holding that a physician’s confidential disclosure “of communications
protected by the physician-patient privilege to a third person to whom disclosure is
reasonably necessary for the accomplishment of the purpose for which the
physician is consulted confers upon the third person the right to claim the
physician-patient privilege on behalf of the patient”); Evans v. Rite Aid Corp., 478
S.E.2d 846, 848 (S.C. 1996) (finding that “although the Code of Ethics of the
American Pharmaceutical Association [provides for] a pharmacist’s duty of care, .
. . it does not create . . . a statutory duty of confidentiality [for pharmacists]”); see
also In re Miner’s Will, 133 N.Y.S. 2d 27, 28 (1954) (holding that
“[c]ommunications to a [pharmacist] and prescriptions given him b y his customer
are not confidential communications protected from disclosure”); State v. Mark,
597 P.2d 406, 408 (Wash. Ct. App. 1979) (holding that the physician-patient
privilege does not protect prescription records from inspection by state auditors
especially where no public disclosure will result). But see, e.g., CAL. EVID. C ODE
§ 912, cmt. (d) (2001) (stating that “the patient’s presentation of a physician’s
prescription to a registered pharmacist would not constitute a waiver of the
physician-patient privilege because such disclosure is reasonably necessary for the
accomplishment of the purpose for which the physician is consulted”).
426. See Adelman & Zahler, supra note 23, at 127.
427. See Mowery, supra note 17, at 743 n.418.
428. See id.
964
NEW ENGLAND LAW REVIEW
[Vol. 35:4
should also control the access of secondary users, such as drug
manufacturing companies, to this sensitive and personal information.429
The personal nature of prescription records and other private information
obtained and kept by pharmacists justifies the expansion of the physicianpatient privilege to include pharmacists.430
The Massachusetts regulations that currently exist are a step in the right
direction by the legislature to actually recognize a pharmacist-patient
privilege. These rules obligate pharmacists not to disclose confidential
patient information, but they fail to regulate the access of third parties,
such as pharmaceutical companies or pharmacy management, to this
personal information. In light of the changing role of pharmacists today,
more restrictive legislation is needed to protect the information revealed
by individuals to their pharmacists in a similar fashion to that disclosed to
physicians. If such confidentiality requirements are not implemented and
the existing regulations are not better enforced, it is the patients who will
suffer. They will hesitate to reveal vital medical information to their
pharmacists in an effort to avoid unwanted disclosure, and the price they
will pay for privacy is the possibility of inadequate treatment.
VI. CONCLUSION
The privacy advocates feel that the type of privacy invasion resulting
from CVS’s patient compliance program, which was implemented to
remind CVS customers to renew their prescriptions, is a precise example
of what is wrong with the current state of medical record privacy law. 431
This point is further supported by polls which revealed that next to the
government, individuals are most disturbed by the idea of their medical
information being accessed by large private companies. 432 Nonetheless,
there are some benefits to be gained from the use of this information by
third parties, such as CVS which profits each time customers’
prescriptions are refilled.433
However, if patients fail to take their prescribed medication, then
detrimental consequences may result.434 From a public health standpoint,
it may actually be more beneficial to require companies “like CVS to
prohibit their marketing partners from making secondary use of
prescription data than to prohibit CVS from reminding their customers to
renew prescribed medication.”435 Furthermore, it makes sense for CVS
429.
430.
431.
432.
433.
434.
435.
See
See
See
See
See
See
Id.
id. at 742.
Adelman & Zahler, supra note 23, at 139.
Rubinstein, supra note 36, at 229.
id.
id.
id.
2001]
WELD V. CVS PHARMACY, INC.
965
and other pharmacies to make use of consent forms which can be easily
distributed to customers when they fill their prescriptions. 436
These forms would provide customers with the control they desire over
the disclosure of their personal prescription information. The customer
and not the pharmacy would make the choice to disclose or not disclose
individual prescription information to third parties interested in using it
for marketing purposes. If this practice were routinely implemented,
pharmacy customers would be much less likely to feel that their privacy
has been invaded when they receive promotional materials from a drug
manufacturer.
Compromise between data users and privacy advocates is critical to
achieving a workable scheme of legislation that will not only protect
individuals but also aid researchers in obtaining the data they require to
make accurate findings. It is important to remember “that both the
individual and the community have interests,” which must be carefully
balanced to provide security to each.437 When drafting a law that will
balance the interests of privacy advocates and data users, the
Massachusetts Legislature may want to carefully consider the
Confidentiality of Health Care Communications and Information Act 438
that has been enacted in Rhode Island. The statute was created with the
intention of safeguarding and maintaining the integrity of individual
healthcare information,439 and it appears to accomplish this goal by
requiring a patient’s written consent whenever their confidential
healthcare information is released with some important exceptions.440
These statutory exceptions exist to protect the community by permitting
disclosure of medical information to various researchers, government
agencies, and medical professionals when appropriate. The exceptions are
a critical part of this Act because without them these parties would only be
able to access individual medical data by obtaining written permission
from every subject whose information was to be disclosed. If such a
practice persisted, public health would surely suffer. Equally important, is
the statute’s attention to the disclosure of personal medical data to private
organizations. It requires that “[t]hird parties receiving and retaining a
patient’s confidential [healthcare] information[, such as CVS,] . . .
establish” certain minimum security procedures to ensure that the
confidentiality of these records is maintained. 441 Therefore, were this
statute applicable to Weld, CVS would be in violation of it unless CVS
See supra notes 228-31 and accompanying text.
Rubinstein, supra note 36, at 230.
See supra note 199 (describing the details of the Act).
See R.I. GEN. LAWS § 5-37.3-2 (2000).
See supra note 199 (describing these exceptions and the penalties for violation of the Act).
441. See R.I. GEN. LAWS § 5-37.3-4(c) (2000).
436.
437.
438.
439.
440.
966
NEW ENGLAND LAW REVIEW
[Vol. 35:4
obtained written waivers from the customers included on the targeted
mailing list, prior to giving it to the drug manufacturer.
This Act appears to admirably balance the concerns of researchers and
other data users with those of private individuals. It allows for legitimate
scientific study of medical data without individual authorization, yet
prohibits third parties, someone other than the patient, their pharmacist, or
their physician, from disclosing these private facts without obtaining
written consent from the individual whose information is to be revealed.
Massachusetts presently has a myriad of legislation which provides
valuable privacy protection to medical records. However, these laws do
not offer the specific protections needed to prevent unauthorized
disclosure to various parties in the private sector.
Accordingly,
Massachusetts should strive to achieve the type of balance with its
medical record privacy laws that has been demonstrated by the Rhode
Island Legislature.
Sharon R. Schawbel
Download