COMMENTS Are You Taking Any Prescription Medication?: A Case Comment on Weld v. CVS Pharmacy, Inc. I. INTRODUCTION Every day millions of individuals volunteer personal information in order to receive the benefits of health care, insurance protection, employment, driver’s licenses and consumer credit services. 1 Many of them rarely question who can access this information or for what purpose it is ultimately used.2 However, today’s rapidly changing computer technology has created a mixture of advantages and disadvantages for these individuals.3 The new technology allows organizations to operate more productively and efficiently than ever before. 4 Unfortunately, these improvements often result in “dramatically increased . . . volume and detail of information gathering, maintenance, storage and dissemination” of an individual’s personal data.5 This intensified record keeping has made Americans “the most scrutinized, measured, counted and interrogated people in the world,” 6 and has inevitably raised questions regarding the access to, and confidentiality of, this stored information. Due to the highly sensitive nature of health care data, the medical field frequently struggles with issues of confidentiality and disclosure of patient information.7 “Proponents of a computerized medical record have always 1. See SPECIAL LEGIS. COMM’ N ON PRIVACY, REPORT OF THE LEGIS. COMM’ N ON PRIVACY, H.R. DOC. NO. 5417 (1975), available in Massachusetts Legislative Documents, H. 5417, Vol. 13, at 10 (1975). 2. See id. Generally, people assume that the collection of some personal information is necessary to living in a complex society. See id. This is especially true where individuals demand “extensive goods and services from private business and industry,” and “expect a high level of social and public services from the government.” Id. at 10-11. 3. See id. at 14. 4. See id. at 14-15. 5. Id. at 13. 6. Id. 7. See Terri Finkbine Arnold, Let Technology Counteract Technology: Protecting the Medical Record in the Computer Age, 15 HASTINGS COMM. & ENT. L.J. 455, 457 (1993). “[A] medical record ‘may contain more intimate details about an 909 910 NEW ENGLAND LAW REVIEW [Vol. 35:4 been concerned with the problem of protecting sensitive patient information from accidental or intentional disclosure.” 8 In considering the effect of the electronic age on confidentiality, one expert “believes that the new information technologies offer ‘tremendous opportunities,’ but they also create ‘new legal and ethical issues.’” 9 This Comment will examine whether an individual’s privacy is invaded when private pharmacies disclose or use the customer prescription information in their databases to assist other private organizations with implementation of various marketing activities. 10 This issue has already surfaced in Massachusetts in the case of Weld v. CVS Pharmacy, Inc.11 This case, which has not yet been to trial, confirms that there is a gap in the law that must now be addressed to ensure that individual pharmacy records are not accessed by private companies without the informed consent of patients. The novel issue presented in Weld v. CVS will be used to shape the discussion and analysis throughout this Comment which will explain the state of the law with regard to medical record privacy. The discussion will focus mainly on an individual’s right to privacy under the laws of Massachusetts with some comparison of the privacy laws of other jurisdictions.12 There will also be some discussion of federal privacy protections.13 Whether Massachusetts and other jurisdictions should recognize a pharmacist-patient privilege will also be considered. 14 These issues regarding the confidentiality of pharmacy records are individual than could be found in any single document,’ [and] . . . is the primary source of information relating to every facet of health care, including medical history, clinical treatment, and administrative and financial resources.” Id. (quoting PRIVACY PROTECTION STUDY COMMISSION, PERSONAL PRIVACY IN AN INFORMATION SOCIETY 282 (1977)) (quoting testimony from Medical Records Hearings, June 10, 1976, at 137). 8. Id. 9. Val Cardinale, Invasion of Privacy: Keeping Rx Records Confidential: A Lost Cause?, DRUG TOPICS, Apr. 8, 1996, Vol. 140, No. 7, at 107. 10. See generally Weld v. CVS Pharmacy, Inc., 10 Mass. L. Rptr. No. 10, 217 (1999), available in No. 98-0897F, 1999 Mass. Super. LEXIS 261, at *3 (June 1, 1999). In general, Weld describes how pharmacies sometimes use their prescription databases to create targeted mailing lists for drug manufacturers based on the prescriptions filled by pharmacy customers. Armed with this information the drug manufacturer sends a mailing to the targeted individuals recomm ending additional or alternative medications, presumably manufactured by them, that may complement those already being taken or that may relieve other ailments likely to be suffered by those taking the particular prescription targeted. For more on CVS Weld v. CVS Pharmacy, Inc., see discussion infra Part II. 11. No. 98-0897F, 1999 Mass. Super. LEXIS 261, at *3 (June 1, 1999). 12. See infra notes 146-95 and accompanying text. 13. See infra notes 237-315 and accompanying text. 14. See infra notes 408-30 and accompanying text. 2001] WELD V. CVS PHARMACY, INC. 911 critically important for several reasons.15 “American society places a high value on individual rights, autonomous decision making, and the protection of the private sphere from governmental or other intrusion.”16 Unfortunately, there are indications “that Americans do not feel that their privacy rights in health care information are adequately protected.” 17 This is a problem because several negative consequences result from healthcare information which is not afforded adequate protection.18 For example, if a patient’s healthcare information is misused or publicized, both social and psychological harm may ensue.19 There is also potential for the patient to suffer economic harm, if the unauthorized disclosure results in a loss of a job, insurance, or shelter. 20 If these disclosures remain unregulated, patients will ultimately relinquish their right to decide who may access their medical information.21 See infra notes 16-26 and accompanying text. Lawrence O. Gostin, Health Information Privacy, 80 CORNELL L. REV. 451, 453 (1995) (footnote omitted). 17. Grace-Marie Mowery, Comment, A Patient’s Right of Privacy in Computerized Pharmacy Records, 66 U. CIN. L. REV. 697, 727 (1998) (citing Louis Harris and Assoc., Health Information Privacy Survey 22 (1993)). For example, one poll indicated that 80% of those surveyed felt that consumers’ personal information is disseminated and used without regard to consumer choice of how the information is actually used. See id. at 727 n.283. 18. See Mowery, supra note 17, at 728. The following are some examples of the documented abuses of sensitive patient information: 15. 16. (1) disclosure that an employee . . . was an alcoholic; (2) sale of abortion patient names to anti-abortion organizations; (3) extortion based on knowledge that a patient was treated for venereal disease; (4) informing an employer of an employee’s mental status; (5) disallowance of health insurance eligibility based on an unconfirmed cancer diagnoses; [and] (6) an employer requesting a list of HIV -infected employees from his insurer in order to fire them. Arnold, supra note 7, at 464. 19. See Mowery, supra note 17, at 728. A man who runs a support group for individuals suffering from manic-depression, speaks openly about his own suffering, but worries about the privacy of other patients in the group because risks of disclosure may discourage individuals from joining support groups. See Michael W. Miller, Data Tap: Patients’ Records are Treasure Trove for Budding Industry, WALL ST. J., Feb. 27, 1992, at A1, A6. “‘For someone with an illness like this you have a lot of people to trust. . . . You have to trust doctors, you have to trust pharmacists, you have to trust your friends who might see you have an episode, [and you have to trust] your co-workers. Why add to the list?’” Id. 20. See Mowery, supra note 17, at 728. In a study performed by the United States Office of Technology Assessment, it was concluded that 30% of employers permit their managers to inspect the medical records of employees, most likely obtained from health insurance information in personnel files, without first obtaining the employees’ permission. See Miller, supra note 19, at A6. 21. See Mowery, supra note 17, at 728. 912 NEW ENGLAND LAW REVIEW [Vol. 35:4 Likewise, without adequate safeguards, the effectiveness of the patient’s healthcare may suffer.22 “Patients will be less likely to divulge information if they are unsure their privacy will be protected, . . . [and] [i]f the information a patient gives is incomplete, diagnosis and treatment might be incorrect.”23 In order to preserve the relationship between a patient and pharmacist and to ensure the integrity of the information provided by the patient, some form of privacy protection is necessary. 24 The fact that patients will not find out about an invasion of their privacy until it has already occurred is yet another reason to further protect a patient’s privacy rights.25 “Without accurate or trustworthy information, the complex, [health care] information infrastructure that is emerging in the healthcare system will not succeed.”26 Nevertheless, in creating a new policy to protect the privacy of an individual’s healthcare information, the legitimate interests that drug manufacturers have in this information must also be considered. 27 Some circumstances exist where direct marketing by pharmaceutical companies, possessing an individual’s healthcare data, may actually benefit patients. For instance, Marion Merrell Dow, Inc., a pharmaceutical company, has created a database of 350,000 heart patients currently using its heart medication.28 This company uses its database to send these patients a special newsletter concerning healthy living, hence providing a benefit for See Gostin, supra note 16, at 490. Mowery, supra note 17, at 728-29. “In the absence of the knowledge that the pharmacist will respect the confidential nature of the communication, the information may not be given and the pharmacist may not be able to effectively provide the appropriate needed services.” John Berger, Patient Confidentiality in a High Tech World, 5 OHIO N.U. J. PHARMACY & L. 139, 144. (1996); see also Harlin G. Adelman & Wendy L. Zahler, Pharmacist-Patient Privilege and the Disclosure of Prescription Records, 1 OHIO N.U. J. P HARMACY & L. 127, 152 (1992). 24. See Mowery, supra note 17, at 729. Furthermore, 22. 23. “a serious effort should be made to enact laws that guarantee some patient confidentiality with regard to pharmaceutical records, if not in the information previously included such as a patient’s prescription record, at least in the additional information sought for the patient’s profile such as the patient’s personal medical h istory.” Id. at 743 n.418 (quoting Brenda Jones Quick, The Cost of the Omnibus Budget Reconciliation Act of 1990, 2 OHIO N.U. J. PHARMACY & L. 145, 164 (1994)). 25. See Berger, supra note 23, at 144.. 26. Mowery, supra note 17, at 729. 27. See id. at 729-30; see also Joshua D. Blackman, A Proposal for Federal Legislation Protecting Informational Privacy Across the Private Sector, 9 SANTA CLARA COMPUTER & HIGH TECH. L.J. 431, 454 (1993). 28. Miller, supra note 19, at A6. The patients in the database developed by Marion Merrell Dow were taking the drug Cardizem which is manufactured by this company. See id. 2001] WELD V. CVS PHARMACY, INC. 913 these individuals.29 A computer system was developed by another pharmaceutical company which allows pharmacists to track the dispensing of a patient’s medication and then suggests drugs that might complement the patient’s current medication or recommend the substitution of a drug likely to cause fewer side effects.30 Furthermore, the pharmaceutical companies claim that the knowledge gained from patient information can be useful in recommending the most effective treatments and drugs for specific cases, thereby producing the best possible results for the patient at the lowest cost.31 It is clear that the proper use of these computerized databases can provide enormous benefits.32 However, their misuse can cause 33 irreversible injury. As with “most other areas of the law, we must engage in the delicate task of weighing competing interests” to determine when an individual’s medical information should be disclosed. 34 To determine whether such an invasion is warranted, the following factors should be considered: [T]he type of record requested, the information it does or might contain, the potential for harm in any subsequent nonconsensual disclosure, the injury from disclosure to the relationship in which the record [is] generated, the adequacy of safeguards to prevent unauthorized disclosure, the degree of need for access, and whether there is an express statutory mandate, articulated public policy or other recognizable public interest militating toward access.35 See id. See Mowery, supra note 17, at 733. For example, “a patient on estrogen might be advised to also take calcium supplements. After identifying such a patient, the pharmaceutical company would send a letter to the pharmacist, who would then send a letter to the patient with the recommendation.” Id. at 733-34 (footnotes omitted). 31. See Margaret Ann Cross, Drug Companies See Opportunities in Health Information Technology, HEALTH DATA MGMT., Oct. 1, 1996, at 70. The vice president and CIO at Eli Lilly, a pharmaceutical company, states “‘[w]e are going to be a health care solutions company, which includes making pills but which also highly leverages information technology to understand better the cause and effect of people’s illnesses and well being.’” Id. 32. See Beth Hahn Gerwin, Note, Computer Related Litigation Using Tort Concepts, 9 AM. J. TRIAL ADVOC. 97, 115 (1985). 33. See id. (explaining how the pervasive use of computers in private industry has increased the incidences of computer-related litigation). Courts have generally applied a balancing test in light of the “tension between the potential for-injury and benefit” whereby an individual’s right to privacy is weighed against the need of private entities to disclose personal information. Id. 34. United States v. Westinghouse Elec. Corp., 638 F.2d 570, 578 (3d Cir. 1980). 35. Id. at 578. 29. 30. 914 NEW ENGLAND LAW REVIEW [Vol. 35:4 The “battle lines are being drawn” with the privacy advocates on one side and the data-users on the other.36 The privacy advocates, which include “civil libertarians, disability advocates, some consumer groups and health care provider groups,” are demanding rigorous governmental regulation of medical record privacy in order to protect the values of personal autonomy and to prevent the stigmatization and humiliation of patients.37 They derive their support from polling data which indicates that Americans desire increased privacy protection and evidences numerous instances detailing the inappropriate, and often illegal disclosures of private medical information.38 Conversely, the data-users which include “managed care organizations . . . , health insurers, medical and health policy researchers and pharmaceutical companies” are content to maintain the status quo regarding medical record accessibility and claim to support stiff penalties when this data is misused. 39 Even those who support the most severe restrictions “believe that a balance must be struck between access and privacy interests . . . . However, as with most controversial legislation,” the difficulty arises in hammering out the details.40 Both sides may agree on the fundamental principles behind the legislation, however, the flexibility required by one party may be 36. Helena Gail Rubinstein, If I Am Only for Myself, What Am I? A Communitarian Look at the Privacy Stalemate, 25 AM. J. L. & MED. 203, 204-05 (1999) (evaluating the arguments of privacy advocates and data users with regard to proposed federal legislation intended to protect the privacy of individual medical records). 37. Id. at 204. 38. See id. There are several instances in which personal medical data has been inappropriately disclosed. A complaint documented by one health care institution involved employees accessing lab results of their co -workers prior to asking for social dates. See Arnold, supra note 7, at 464. Similarly, an Ohio hospital employee was acquitted after locating a friend’s AIDS diagnosis in a hospital computer and revealing this information to other hospital employees. See id. (citation omitted). For other examples of abuse of medical record privacy, see supra note 18. 39. Rubinstein, supra note 36, at 205. Beyond the data-users mentioned above are law enforcement agencies, employers, and a number of entrepreneurs who seek out the medical data of individuals in order to sell it to research and marketing companies for a profit. See id. 40. Id. One doctor noted that care must be taken “not to inadvertently harm the interests of individual patients by unnecessarily restricting access to information needed” for medical research. Hearing on Patient Confidentiality: Testimony Before the Subcomm. on Health of the House Committee on Ways and Means, 105th Cong. (Mar. 24, 1998) (statement of Harry A. Guess, M.D., Ph.D., on behalf of Merck & Co., Inc.), available at <http://www.house.gov/ways_means/ health/testimony/3-24-98/3-24gues.htm>. 2001] WELD V. CVS PHARMACY, INC. 915 perceived as an unsatisfactory loophole by the other. 41 Lawmakers must choose a policy that adequately protects the privacy interests of patients, while simultaneously permitting private companies to pursue their business interests.42 II. BACKGROUND A. Factual Background of Weld v. CVS Pharmacy, Inc. In 1998, defendant CVS Pharmacy, Inc. (CVS) implemented a Patient Compliance Program (PCP).43 The purpose of this program was to send mailings to certain designated customers providing them with information regarding new drugs, reminding them to refill their current prescriptions, or encouraging them to consult with their physicians about potential medical conditions.44 These mailings were funded by various drug manufacturers, also named as defendants in this action, and CVS asserts that each mailing indicated the manufacturer responsible for financing it.45 The two plaintiffs in this suit, John Weld and Jeffrey Kelley, both filled prescriptions at CVS and consequently, their names, addresses, dates of birth, and medical and prescription information were stored in the company’s databases.46 Undisputedly, Kelley received a mailing regarding high cholesterol in June, 1997. 47 Even though the mailing did not indicate that Kelley suffered from high cholesterol, it encouraged him to discuss the hazards of this condition with his doctor. 48 At a deposition in the fall of 1997, Kelley, a diabetes sufferer, testified that he had received marketing materials for diabetes medications in the See Rubinstein, supra note 36, at 205. See Mowery, supra note 17, at 730-31. The legislation created to protect informational privacy contemplate the realities in the marketplace. See id. at 731 n.308. These laws must satisfy the informational needs of business, yet do so in a way that is simultaneously fair to the consumer. See id. 43. See Weld v. CVS Pharmacy, Inc., No. 98-0897F, 1999 Mass. Super. LEXIS 261, at *3 (June 1, 1999). 44. See id. “The PCP is presently the subject of an ongoing investigation by the Massachusetts Board of Registration in Pharmacy.” Id. at *7 n.9. Furthermore, it is relevant to note that Elensys Care Services, Inc. (Elensys), the company coordinating these mailings for CVS, was informed in April, 1997, by the Maryland Board of Pharmacy that written waivers should be obtained by customers before commencing similar marketing services for a Maryland pharmacy, pursuant to a comparable program. See id. 45. See id. at *3. 46. See id 47. See id. at *3-*4. 48. See id. The letter indicated that it had been funded by the drug manufacturer Merck. See id. at *4. 41. 42. 916 NEW ENGLAND LAW REVIEW [Vol. 35:4 mail, but he had no recollection as to who had sent them. 49 Kelley further testified that prior to filling his prescriptions at CVS he had purchased these medications at another drug store.50 CVS acknowledged that it produced a diabetes mailing in October, 1997, however, it asserted that Kelley could not have received this mailing because it had targeted customers filling a certain type of prescription at CVS, which Kelley had never filled there.51 Furthermore, Weld does not dispute that he never received a mailing, and it is contended by CVS that he was never included in the list targeted to receive one.52 Therefore, CVS reasons that it could not possibly have “disseminated any information about Weld to any of the other defendants.”53 CVS tries to further defend itself by explaining that the means utilized to target customers for receipt of specific mailings was highly impersonal and technical.54 “For the high cholesterol mailing, CVS personnel conducted a key word search of CVS’s entire customer database based on the customer’s condition or prescriptions, and arrived at a target list of customers designated to receive the [high] cholesterol mailing.”55 Weld was not targeted to receive the mailing because his profile did not contain any of the desired criteria.56 However, Kelley, as a diabetes sufferer met the criteria necessary for inclusion in the mailing list. 57 Once this search of CVS’s database was completed, the “list of the designated customers’ names, addresses and dates of birth was . . . compiled on a diskette, which CVS gave to Elensys.”58 The contract between CVS and Elensys indicated that CVS would send their customer prescription information to Elensys and stated that “‘[CVS] agrees to provide to Elensys all pharmacy records and prescription information which Elensys and [CVS] mutually agree are necessary for Elensys to render the Patient Compliance Services.’” 59 This contract also provided that confidentiality of CVS’s patient information be strictly See Weld, 1999 Mass. Super. LEXIS 261, at *4. See id. See id. See id. Id. See id. Weld, 1999 Mass. Super. LEXIS 261, at *4-*5. See id. at *5. See id. Id. Elensys is a mailing company and also a named defendant in this action, which contracted with CVS to execute the actual mailings. See id. 59. Id. at *5-*6. CVS alleges in an affidavit that Elensys did not have access to its customer prescription records nor its database and that Elensys had only customer information for those individuals included in the mailings. See id. at *6 n.7. However, CVS fails to indicate how much information was disclosed to Elensys regarding the customers included in the targeted mailing list. See id. 49. 50. 51. 52. 53. 54. 55. 56. 57. 58. 2001] WELD V. CVS PHARMACY, INC. 917 maintained, requiring Elensys to implement extensive safeguards to ensure that it was.60 The final list of names and addresses was then transmitted to a mail fulfillment house employed by Elensys to collate and send out the mailing.61 It is urged by the defendants that this mailing process entailed minimal human participation and was highly automated. 62 The defendant pharmaceutical companies, who participated in these mailings, also maintain that they had no access to CVS’s customer databases, were given no customer information by CVS, and that their participation was limited to supplying CVS with data regarding the drugs promoted in the mailings which these drug companies funded.63 The plaintiffs brought several claims against CVS, but this Comment will mainly focus on count one, which alleges that CVS “violated the plaintiffs’ right of privacy as set forth in [chapter 214, section 1B of the Massachusetts General Laws].”64 Presently, CVS’s motion for summary judgment in this case has been denied.65 In denying this motion, the court indicated that “there are genuine issues of material fact as to the legality of CVS’s conduct towards the named plaintiffs Weld and Kelley, so that summary judgment is inappropriate.”66 Furthermore, the court stated that “whether CVS’s conduct as to plaintiff Kelley constituted a violation of [chapter 214, section 1B of the Massachusetts General Laws] presents a novel question suitable for initial resolution by a jury.”67 60. See id. at *6. With regard to the high cholesterol mailing received by Kelley, Elensys indicated in affidavits that it participated in these mailings to the extent it applied a special computer program to CVS’s diskette in order to correct address errors and remove duplicate names from the mailing list. See id. 61. See Weld, 1999 Mass. Super. LEXIS 261, at *6. The contract between Elensys and the fulfillment company also included strict terms concerning confidentiality. See id. at *6 n.8. 62. See id. at *6-*7. 63. See id. 64. Id. The other counts alleged by plaintiffs against CVS include: breach of its duty of confidentiality and fiduciary duty to the plaintiffs; violation of the Massachusetts consumer protection statute, chapter 93A; tortious misappropriation of private and personal information; and conspiracy with the other defendants to violate the plaintiffs’ rights. See id. 65. See id. at *11. 66. See id. 67. Weld, 1999 Mass. Super. LEXIS 261, at *16. With regard to plaintiff Weld, who never actually received a mailing but whose name and prescription data were housed in the database used by CVS to help implement its marketing program, the court denied CVS’s motion for summary judgment without prejudice pending further discovery to determine if CVS actually disclosed any of Weld’s prescription information. See id. 918 NEW ENGLAND LAW REVIEW [Vol. 35:4 B. The New Legal and Ethical Issues The principle issue is one of access.68 Will patients have the power to permit or deny access to medical data maintained by their pharmacist? 69 The collection of medical information begins when a patient visits “a health care provider and continues through diagnosis, treatment and billing.”70 “This process generates data relating to a patient’s medical and financial history, symptoms, signs and treatment options, [ultimately] including prescription medications.”71 A variety of organizations and institutions, other than patients and health care workers, seek to access medical records.72 Those seeking access include insurance companies, government officials, law enforcement, employers, lawyers, researchers, educators, and most prescription drug manufacturers. 73 It is unfortunate that the laws governing medical record privacy have not kept pace with the constantly increasing risks inherent in disclosure. 74 The prescription files maintained by pharmacists, in particular, have little authority governing their confidentiality.75 In the past, a pharmacist’s lack of access to a patient’s medical information prevented him from providing true pharmaceutical care.76 However, new computer technology allows pharmacists to be more proactive in counseling patients, in addition to “sav[ing] time and money by using a computer to dispense prescriptions, fill out forms, and process insurance claims.” 77 See Cardinale, supra note 9, at 107. See id. Paul T. Cuzmanes & Christopher P. Orlando, Automation of Medical Records: The Electronic Superhighway and its Ramifications for Health Care Providers, 6 OHIO N. U. J. PHARMACY & L. 19, 25 (1997). 71. Id. 72. See Adelman & Zahler, supra note 23, at 128. 73. See id. 74. See id. The authors further explained that: 68. 69. 70. Although the trend in the law favors increased confidentiality of medical records, the demands of the real world favor increased disclosure. Accordingly, it is the responsibility of pharmacists, physicians, and other health care professionals to understand this tension and to educate themselves as to the best approach for handling the sensitive and legally murky issues that arise with each disclosure of medical records or exchange of medical information. Id. 75. 76. 77. See id. at 127. See Cardinale, supra note 9, at 107. Mowery, supra note 17, at 697. 2001] WELD V. CVS PHARMACY, INC. 919 C. The Evolution of the Pharmacist’s Role It is quite evident that there have been dramatic changes in the practice of the profession of pharmacy. 78 Gone are the days when a pharmacist’s primary concern was dispensing the right drug, in the right strength and amount.79 Today, in addition to dispensing medication, pharmacists are heavily involved in patient care and are increasingly concerned with the outcome of a patient’s treatment.80 In order to perform their job effectively, pharmacists must have access to all of a patient’s relevant medical information.81 This access allows pharmacists to provide better treatment to each individual because they are better informed about an individual’s medical background and the circumstances which have led to the need for a particular type of medication. 82 In order for a computer to aid pharmacists with their various responsibilities, a patient’s personal information must be entered into the pharmacy’s system. 83 The information entered usually includes a patient’s birth date, gender, allergies to certain drugs, any disease being treated, and some databases even maintain “lifestyle notes on alcohol, caffeine and tobacco use, pregnancy, and exercise.”84 Computerization of medical records has played a substantial role in improving patient care by providing doctors and pharmacists with more accurate, timely, and comprehensive medical records for their patients. 85 The ability to easily access a patient’s medical history is extremely useful not only to pharmacists, but also to the other health care providers with whom they interact when treating a patient.86 For example, pharmacists now have the potential to save lives and avoid harmful drug interactions See Berger, supra note 23, at 139. See id. See id. “[T]he scope of the practice [of pharmacy] took a giant leap forward when Congress enacted the Omnibus Budget Reconciliation Act of 1990 (OBRA 90) . . . . OBRA 90 set forth minimum standards of pharmaceutical care that all states must require pharmacists to perform when dispensing Medicaid prescriptions (as a Medicaid funding mechanism).” Id. at 139-40. These standards include: requiring the pharmacist to meet with and interview the patient in person in order to provide the patient with counseling regarding their drug therapy; requiring the pharmacist to create patient profiles, recording the pati ent’s disease state in addition to the pharmacist’s notes; and requiring pharmacists to perform prospective drug use review along with patient consultations. See id. at 140. 81. See id. 82. See id. 83. See Mowery, supra note 17, at 698-99. 84. Id. at 698. 85. See Arnold, supra note 7, at 460. 86. See Michael Slezak, Pharmacy’s Big Screen Drama, A M. DRUGGIST , Nov. 1, 1996, at 39. 78. 79. 80. 920 NEW ENGLAND LAW REVIEW [Vol. 35:4 by using computers to screen a patient’s prescriptions. 87 If a patient is being treated by several doctors at one time, each doctor may be unaware of which medication the other is prescribing. 88 The pharmacist, however, by simply checking a patient’s computerized file, is able to view all of the medications currently being used by a patient and can notify the patient’s primary-care physician about potentially harmful interactions.89 As a result, the doctor may prescribe an alternative medication, thus averting a potentially fatal disaster.90 D. Computerized Pharmacy Records and Third Parties As key members of the healthcare team, it is crucial that pharmacists actively assist in developing standards for the automation of medical records.91 They must also remain acutely aware of the implications of automation on their practice.92 However, most of the controversy surrounding the confidentiality of pharmaceutical records does not stem from the pharmacist’s access to a patient’s private medical information. 93 More often, concern arises when third parties, generally “big business,” are given access to this highly sensitive and private data. 94 “The medical record is . . . a rich repository of information [to] third parties . . . . [A] modern medical record can be used in many different ways outside the treatment process. The growing awareness of medical records as a source of information is one reason why disclosure of the record is increasingly demanded.”95 Today’s pharmacists are keenly aware that the market for prescription data is now a big business and that there is a lot of money to be made in it, especially for the drug manufacturers. 96 As a result of the new technology, pharmacists are now an important “part of a new market for the information in their databases.” 97 Without their participation in providing this information, the market will likely be less extensive. The promotional activities of the pharmaceutical industry are becoming more and more aggressive.98 Pharmaceutical companies now endeavor to See Mowery, supra note 17, at 698. See id. at 698. See id. See id. See Cuzmanes & Orlando, supra note 70, at 20. See id. See Rubinstein, supra note 36, at 229. See id. Polling data indicates that next to the government, individuals are most upset about “big business,” meaning private corporations, having access to their private medical information. See id. 95. Mowery, supra note 17, at 698 n.17 (citations omitted). 96. See id. at 699 n.16. 97. Id. at 699. 98. See David Woodward, The New Drug Marketing: A Consumer 87. 88. 89. 90. 91. 92. 93. 94. 2001] WELD V. CVS PHARMACY, INC. 921 expand their traditional form of promotion, targeting physicians with individual sales calls, to include direct advertising to consumers, various “promotional practices involving payments to health care providers, and a very high level of merger activity.”99 The National Association of Boards of Pharmacy (NABP) has voiced extreme concern regarding the activity of some third-party organizations, including insurance companies, pharmacy benefits management companies,100 and marketing firms.101 As a result, NABP has developed a set of guidelines covering the confidentiality of patient records with regard to patient compliance and intervention programs.102 “Some third-party programs that exist outside the pharmacist/patient relationship may [even] try to switch a patient’s medication or direct the patient away from a course of therapy for economic or financial gains.”103 This is one of the practices the NABP would like to curb with its new guidelines. 104 Many private companies Protection Perspective, 51 FOOD & DRUG L.J. 637, 638 (1996). Remarkable changes have occurred in the healthcare market and the forces driving the pharmaceutical industry are no exception. See id. “[C]ost containment has become a driving force in the new market [along with] the role of third -party payors . . . becoming increasingly important.” Id. 99. Id. This merger activity is occurring “among pharmaceutical manufacturers and between pharmaceutical companies and [pharmacy benefit management companies (PBMs)].” Id. 100. There are new confidentiality concerns with regard to the increased use of PBMs. See RxNews: Prescription Privacy, HEALTH FACTS, Apr. 1, 1999, at 4. “PBMs are relatively new commercial enterprises which use management skills, along with considerable purchasing clout, to reduce the cost of the drug benefits offered by health plans to their enrollees. This has become critically important because [the cost of] prescription drugs . . . [is] rising at a faster rate than any other health care item.” Id. “[T]he drug benefits of the vast majority of Americans with health insurance” are now managed by PBMs. Id. “PBMs collect and analyze information about large numbers of patients, their medical histories, prescriptions, drug interactions, drug effectiveness and treatment outcomes, creating an electronic database that is coveted by drug makers for use in their marketing and research efforts. The result is that PBMs make money by selling their databases to others.” Id. Since the disclosure of this personally identifiable prescription information is not regulated, any stranger can now access the personal information of individual consumers without obtaining any prior consent or giving any prior notification to those individuals. See id. 101. See Rebecca Porter, Pharmacy Association Sets Guidelines for Privacy, TRIAL, Mar. 1999, at 98, 99, 100. 102. See id. at 100. The NABP defines patient compliance and intervention programs as programs “that contact the patient or caregiver to improve the patient’s use of prescribed medication and promote appropriate monitoring and self-reporting of medication use; provide educational information about the patient’s disease state; and discuss and/or affect a patient’s therapy or choice of medication.” Id. 103. Id. 104. See id. 922 NEW ENGLAND LAW REVIEW [Vol. 35:4 presently collect prescription records from pharmacies and then subsequently sell them to pharmaceutical companies. 105 These companies obtain permission to access the records by providing certain services to the pharmacies.106 However, many patient-privacy advocates contend that “[r]egardless of how [confident a] pharmacist or physician feels about the [confidentiality] safeguards” the pharmaceutical companies claim to be using, “the industry should never [be permitted to] get its hands on medical records in the first place.”107 There is no doubt that the information collected by pharmacists represents a substantial financial value to commercial enterprises. 108 The pharmaceutical companies defend themselves by arguing that they are only interested in the aggregate information of patients. 109 However, these companies have used the patient information they have received for direct 105. See Mowery, supra note 17, at 699-700. Medco Containment Services Inc., the nation’s biggest mail-order prescription operation, last year created a subsidiary to sell its customers’ prescription records, in addition to prescription data it buys from the American Association of Retired Persons. Medco sorts everything by the names of physicians and gives their addresses. Drug companies love that extra feature because they can zero in on physicians most likely to go for their mailings. Id. (quoting Michael W. Miller, Data Tap: Patients’ Records are Treasure Trove for Budding Industry, WALL S T. J., Feb. 27, 1992, at A1, A6). 106. See Mowery, supra note 17, at 700. These services often include providing new hardware and software to pharmacists allowing them to more easily track patient information. See id. Sometimes though, it is money that is given to the pharmacies in exchange for patient prescription data. See id. Also, “[p]hysicians and pharmacists routinely open up their patient records to data collectors that sell them to pharmaceutical companies hungry to know exactly how their products are selling . . . . [N]early half of the 1.6 billion prescriptions filled each year in the U.S. pass along this chain.” Miller, supra note 19, at A6. However, the physicians and pharmacists involved in these sales do not feel that they threaten patient privacy, since the data-collectors insist that all patient names are deleted from the information. See id. Nevertheless, those who criticize these practices say that medical record custodians “have no business entrusting them, without patients’ knowledge or consent, to an unregulated industry.” Id. 107. Miller, supra note 19, at A6. However, not all doctors and pharmacists are willing to sell the information in their databases. A pharmacist in Williamsburg, Virginia who turned down a monetary offer from a data collection company interested in access to her records states, “‘I have no clue what they’re pulling off my computer, and I don’t trust what they’re telling me . . . . I’m not a computer expert. I have patients to protect and a business to protect.”’ Id. 108. See Mowery, supra note 17, at 699 (citing Adele A. Waller, Health Care Information Issues in Health Care Reform, 16 WHITTIER L. REV. 15, 18 (1995)). With patient information in their possession, pharmaceutical companies can i mprove their product marketing to customers and healthcare providers. See id. 109. See Miller, supra note 19, at A6. 2001] WELD V. CVS PHARMACY, INC. 923 marketing purposes.110 This requires the “company to use the specific names and addresses of the group of individuals that have been targeted.”111 This type of targeted patient information is exactly what the pharmaceutical companies need to market their products to patients and healthcare providers, and its usage is consistent with current direct marketing practices.112 E. Patient Privacy and Pharmacy Records When the divulgence of medical information in some way imparts a medical or financial benefit to the patient, many theorize that such disclosures are justified by implied consent.113 “Thus, the patient consents, or is presumed to consent, to the disclosure of information to other health care professionals to provide appropriate treatment, to insurers to assure payment, or to researchers or regulators to maintain effective oversight or evaluation services.”114 Nevertheless, vast amounts of information are constantly collected on American consumers and the manner in which these facts are utilized is fundamentally important. 115 If a pharmaceutical manufacturer represents to consumers that the data being collected will only be used for drug utilization review purposes, this promise should be honored or at the very least, the company “should fully describe all uses that may be made of such information.” 116 Ultimately, drug manufacturers should not use a patient’s confidential medical information for marketing purposes.117 Since today’s consumers place a great deal of importance on the privacy of their medical records, pharmaceutical manufacturers should design and implement their various promotional programs and practices with this in mind. 118 A 1993 privacy survey revealed that “forty-eight percent of the public, representing 89,000,000 Americans, are highly concerned about issues of medical privacy.”119 The survey also found that sixty percent of all Americans: See id. Mowery, supra note 17, at 733. See id. See Gostin, supra note 16, at 523. Id. See Woodward, supra note 98, at 648. Id. Many privacy specialists agree that most patients never become aware of confidentiality violations. See Miller, supra note 19, at A1. However, many patients who learn of the violations may not want to risk further exposure by calling attention to the breach of confidentiality. See id. 117. See Woodward, supra note 98, at 648. 118. See id. 119. Id. (quoting HARRIS -EQUIFAX, HEALTH INFORMATION P RIVACY S URVEY (1993) (study no. 934009)). 110. 111. 112. 113. 114. 115. 116. 924 NEW ENGLAND LAW REVIEW [Vol. 35:4 [F]eel that it would be unacceptable for pharmacists to provide pharmaceutical companies with the names of customers using certain medications for use in direct mail; sixty-six percent felt that it would be unacceptable for hospitals to use the names of patients to solicit donations; and sixty-four percent stated that their permission should be required before their medical records could be used for research purposes, even if no personally identifiable information were published. 120 The public concern surrounding this sensitive issue is also reflected in the media attention it receives, as well as in the concern exhibited by Congress and former President Clinton121 in protecting the confidentiality of medical information.122 F. Privacy Laws and Pharmacists Presently, the medical information in the United States (U.S.) receiving the most protection is that of individuals procuring care from federally financed drug and alcohol treatment centers. 123 Unless an individual is enrolled in one of these governmental substance abuse clinics, the protection of individual medical records is wholly inadequate. 124 “Health records privacy law [in the U.S. currently] consists of a patchwork of state 120. Id. (quoting HARRIS -EQUIFAX, HEALTH INFORMATION P RIVACY S URVEY (1993) (study no. 934009)). 121. As recently as October 29, 1999, President Clinton urged Congress to take further steps to safeguard the electronic medical records of patients. See Sonya Ross, Clinton Aims to Shield Electronic Medical Records (visited May 10, 2001) <http://www.abcnews.go.com/sections/us/DailyNews/insurance991029.html >. One of the President’s greatest concerns was keeping a patient’s private medical information out of the hands of marketers. See id. The President also expressed concern about the great discrepancies among state laws protecting the privacy of individual medical records. See id. Currently, federal law does not protect an individual’s private medical information from being disseminated to employers, sold to pharmaceutical companies or distributed throughout the office of insurance company. See id. 122. See Woodward, supra note 98, at 648-49; see also, e.g., Medical Records Confidentiality Act of 1995, S. 1360, 104th Cong., Fair Health Information Practices Act of 1994, H.R. 4077, 103d Cong.. 123. See P AUL M. S CHWARTZ & J OEL R. R EIDENBERG , DATA P RIVACY LAW 165 (1996). 124. See id.; see also Richard C. Turkington, Legal Protection for the Confidentiality of Health Care Information in Pennsylvania: Patient and Client Access; Testimonial Privileges; Damage Recovery for Unauthorized Extra-Legal Disclosure, 32 VILL. L. REV . 259 (1987); Paul M. Schwartz, The Protection of Privacy in Health Care Reform, 48 VAND. L. REV. 295 (1995) (discussing health reform issues relating to privacy and computerized data). See generally Gostin, supra note 16 (discussing laws regarding the confidentiality and health records). 2001] WELD V. CVS PHARMACY, INC. 925 and federal laws that leaves large segments of health records with little legal protection.”125 These laws mainly provide protection for health records that are under governmental control or in limited cases protection is provided for specific kinds of medical information. 126 Also hindering privacy protection is the lack of uniformity among state laws.127 In an era when interstate data transfers are prevalent, this inconsistency in the laws of the states only weakens the protection of an individual’s health records.128 Congress’ Office of Technology Assessment recently concluded that “‘[t]he present legal scheme does not provide consistent, comprehensive protection for privacy in health care information, whether it exists in a paper or computerized environment.”’ 129 III. THE RIGHT OF PRIVACY IN MASSACHUSETTS The Massachusetts Legislature has declared the existence of an individual’s right to privacy. 130 Instead of creating a detailed and 125. R ICHARD C. TURKINGTON & ANITA L. A LLEN, P RIVACY LAW: C ASES AND MATERIALS 223-24 (1999). 126. See S CHWARTZ & R EIDENBERG , supra note 123, at 165-66. The medical information that is specifically protected by law includes records containing highly personal or especially intimate data. See TURKINGTON & A LLEN, supra note 125, at 224. Drug and alcohol and mental health treatment records all fall into this category and enjoy strong privacy protection. See id. 127. See S CHWARTZ & R EIDENBERG , supra note 123, at 166. 128. See id. 129. Id. (quoting O FFICE OF TECHNOLOGY ASSESSMENT , P ROTECTING P RIVACY IN C OMPUTERIZED MEDICAL INFORMATION 13 (1993)). The existing patchwork of law has a number of shortcomings. See id. at 167 An example of one is the abuse of the idea of “informed consent.” See id. Informed consent should protect not only physical self -determination but informational self-determination as well. It should serve a role in furthering data protection’s goal of organizing information processing in a way that furthers the individual’s capacity for free decision making. A consent to the application of one’s personal medical data can only be informed . . . . Yet in the United States, the current norm is “uninformed consent” to disclosure of personal medical data. Service payors, such as insurance companies and service providers, such as doctors and clinics, generally have their customers, the consumers of health care services, sign broad, “blanket” disclosure releases. These disclosure documents have been used to justify almost any secondary use of medical data. Id. Furthermore, these broad releases have allowed for the disclosure of medical information to pharmaceutical companies, employers seeking data regarding their workers, direct market mailers, and the Medical Information Bureau, which is a non-profit organization that provides medical information to insurance companies for the purpose of insurance fraud prevention. See SCHWARTZ & REIDENBERG , supra note 123, at 167-68. 130. See MASS . GEN. LAWS ch. 214, § 1B (2000). 926 NEW ENGLAND LAW REVIEW [Vol. 35:4 comprehensive statute, the legislature has left the interpretation of a very broadly worded law to the courts, which must forge workable rules, principles, and applications of it.131 The statute states that “[a] person shall have a right against unreasonable, substantial or serious interference with his privacy. The superior court shall have jurisdiction in equity to enforce such right and in connection therewith to award damages.” 132 Since there is no generally accepted definition of privacy and because of the statute’s broad language, responsibility has fallen on the courts to define the meaning of an individual’s right to privacy in Massachusetts.133 However, the legislature was insightful in creating this sweeping definition of privacy.134 Even in the early 1970s, when the statute was created, its drafters were able to envision the serious threat that electronic technology posed to individual privacy, especially if this technology were in the hands of public and private bureaucracies. 135 Consequently, the drafters realized that the “law of privacy must have the ability to grow and to adapt to changing circumstances” and that it should not be restricted by its past interpretations.136 A. History of Massachusetts Privacy Law In Baker v. Libbie, 137 the Massachusetts Supreme Judicial Court (SJC) was first presented with the issue of an individual’s privacy rights. 138 In this case, an auctioneer of manuscripts attempted to publish and sell various personal letters written and signed by Mary Baker Eddy, the founder of Christian Science.139 These letters were written by Ms. Eddy to a cousin referring to various household matters and also to Ms. Eddy’s business and personal activities.140 As requested by the Estate of Mary Baker Eddy, the unanimous court enjoined the actions of the auctioneer concluding that “[t]he right of the author to publish or suppress publication of [her] correspondence is absolute in the absence of special considerations, and is independent of any desire or intent at the time of the writing.”141 Furthermore, the recipient’s “unqualified title in the material on which [the letter] is written . . . is subject . . . to the proprietary right 131. See William L. Pardee, Note, The Massachusetts Right of Privacy Statute: Decoy or Ugly Duckling?, 9 SUFFOLK U. L. REV. 1248, 1248 (1975). 132. MASS . GEN. LAWS ch. 214, § 1B. 133. See Pardee, supra note 131, at 1248-49. 134. See id. at 1250. 135. See id. at 1249-50. 136. Id. at 1250. 137. 97 N.E. 109 (Mass. 1912). 138. See id. at 109. 139. See id. 140. See id. 141. Id. at 111. 2001] WELD V. CVS PHARMACY, INC. 927 retained by the author for [herself] and [her] representatives to the publication or nonpublication of ideas in its particular verbal expression.”142 Accordingly in Baker, the court did not directly consider the invasion of privacy issue by reasoning that the content of the letters was not such that even if read by strangers would have caused embarrassment or hurt feelings to the author. 143 Instead the court chose to resolve the privacy issue with the application of copyright law. 144 More than half a century later, Massachusetts was no closer to recognizing the right of privacy than it had been in Baker.145 However in 1970, prior to enacting the current Right of Privacy Statute, 146 the Legislature enacted a law which created a remedy for an individual whose name, portrait, or picture was misappropriated for trade purposes. 147 Id. at 112. See id. at 112. See id. See Pardee, supra note 131, at 1254 n.27; see also Brauer v. Globe Newspaper Co., 217 N.E.2d 736, 740 (Mass. 1966) (holding that that “an invasion of privacy based on ‘publicity’ which casts the plaintiff ‘in a false light in the public eye’ requires acts which are sufficient in themselves to familiarize the public with either the name, likeness, or other means of identifying the plaintiff”); Frick v. Boyd, 214 N.E.2d 460, 463-64 (Mass. 1966) (holding that publication of a book which did not include any defamatory remarks about the plaintiff was not a serious enough intrusion into the plaintiff’s private life to constitute an invasion of privacy); Kelley v. Post Publ’g Co., 98 N.E.2d 286, 287 (Mass. 1951) (finding that publication in a newspaper of a deceased car accident victim’s picture along with her parents’ names was not an invasion of privacy); Themo v. New England Newspaper Publ’g Co., 27 N.E.2d 753, 755 (Mass. 1940) (holding that the right of privacy “does not protect one from having his name or his likeness appear in a newspaper when there is legitimate public interest in his existence, his experiences, his words, or his acts”); Marek v. Zanol Prods. Co., 9 N.E.2d 393, 394 (Mass. 1937) (finding that no invasion of privacy claim exists since the plaintiff consented to the publishing of his photograph in a national magazine prior to publication); Thayer v. Worcester Post Co., 187 N.E. 292, 294 (Mass. 1933) (holding that there was no invasion of privacy when a picture, which the plaintiff had no rights in, was excerpted and published in a newspaper). 146. MASS . GEN. LAWS ch. 214, § 1B (2000). 147. See id. § 3A. Appropriation has been defined as the “exploitation of another’s identity for one’s own advantage.” WILLIAM L. PROSSER, THE LAW OF TORTS § 804 (4th ed. 1971). The Massachusetts appropriation statute states that: 142. 143. 144. 145. Any person whose name, portrait or picture is used within the commonwealth for advertising purposes or for the purposes of trade without his written consent may bring a civil action in the superior court against the person so using his name, portrait or picture, to prevent and restrain the use thereof; and may recover damages for any injuries sustained by reason of such use. If the defendant shall have knowingly used such person’s name, portrait or picture in such manner as is prohibited or unlawful, the court, in its discretion, may award the plaintiff treble the amount of the damages sustained by him . . . . 928 NEW ENGLAND LAW REVIEW [Vol. 35:4 Subsequently, the more general Right of Privacy Law was enacted in 1973.148 B. Interpretation of the Massachusetts Right of Privacy Statute The Massachusetts Right of Privacy Statute provides individuals with a right against “unreasonable, substantial or serious interference with [their] privacy”149 and is uniquely broad among privacy statutes. 150 However, this phrase cannot be taken literally because it would then outlaw searches and seizures which interfere with an individual’s privacy, yet are lawful. 151 Therefore, it may be concluded that the statute’s intention is to make unprivileged invasions of an individual’s privacy actionable. 152 Evidently, any interference with privacy that extends beyond what is essential under the circumstances will be deemed unreasonable. 153 This notion indicates that there are certain interests that compete with an individual’s right of privacy, including freedom of expression, equality, security, governmental effectiveness, and political involvement.154 In order to accommodate these MASS. GEN. LAWS ch. 214, § 3A. The language of this Massachusetts appropriation statute closely follows that of New York’s Right of Privacy Law. See Pardee, supra note 131, at 1277. However, it seems unlikely that the Massachusetts courts will look to New York’s right of privacy decisions for guidance because unlike New York, Massachusetts also has a general right of privacy statute. See id. Therefore, it is likely that Massachusetts will interpret its appropriation statute more narrowly than New York has interpreted its similar right of privacy statute, since Massachusetts courts may use chapter 214, section 1B “to cover many situations which have been termed ‘appropriation’ by the New York courts.” Id. 148. MASS . GEN. LAWS ch. 214, § 1B; see also Pardee, supra note 131, at 1248-49. 149. MASS . GEN. LAWS ch. 214, § 1B. This type of interference can be defined as that “which is offensive to a reasonable man and is without sufficient justification.” Pardee, supra note 131, at 1276. 150. See Pardee, supra note 131, at 1251-52 n.16. It is interesting to note that many states have supplemented other rights enumerated in their state constitutions with a right of privacy. See, e.g., ALASKA CONST. art. I, § 22 (1972); CAL. CONST. art. I, § 1 (1972); ILL. CONST . art. I, §§ 6, 12 (1970); MONT. CONST. art. II, § 10 (1972); S.C. C ONST. art. I, § 10 (1971); see also Pardee, supra note 131, at 125152 n.16. 151. See Pardee, supra note 131, at 1267. 152. See id. The word “privilege” simply indicates a presumption of reasonableness and the term “reasonableness” creates the need for a balancing test. See id. at 1271. “The important variables in this test are the seriousness of the interference with privacy . . . [and] the importance of the opposing public interest, [as well as] the availability of alternative means of satisfying that interest.” See id. 153. See id. at 1267. 154. See id. 2001] WELD V. CVS PHARMACY, INC. 929 public interests, their importance must be weighed and balanced against the interference with privacy. 155 Interpretation of the Massachusetts Right of Privacy Statute is somewhat dependent upon the statute’s intended purpose.156 Some authorities have espoused that the legislature intended to enact the statute as it has been developed in other jurisdictions and as defined by Dean Prosser.157 This interpretation would require that all actions for invasion of privacy fall into one of Prosser’s four categories in order for the claim to be adjudicated by the court.158 This view further reasons that the Statute’s scope is a matter of judicial law, and it “empowers the courts to adjudicate any case falling into one of Prosser’s categories.” 159 However, there is little, if any, language in the Statute itself that supports this interpretation.160 “[I]f the legislature intended merely to declare the existence of a right of privacy without committing itself to any particular theory . . . then the meaning of the statute – the breadth and application of the right of privacy – is open to debate, and presumably to development along wholly new lines.”161 Furthermore, the Massachusetts Courts may prefer to interpret the Right of Privacy Statute so that it is consistent with the decisional law of Massachusetts, and not necessarily with that of other states.162 C. Additional Assurances in Massachusetts Law of Privacy and Confidentiality Presently, Massachusetts has no comprehensive laws regulating the confidentiality and privacy of an individual’s medical records. The current laws governing disclosure of these records only offer protection to personal data maintained by governmental entities. 163 Consequently, these laws fail to regulate the data kept by private organizations leaving most types of health records vulnerable to disclosure. See Pardee, supra note 131, at 1267. See id. at 1252. See id. See id. Dean Prosser’s four proposed categories were as follows: “(1) Intrusion into the plaintiff’s physical solitude; (2) Appropriation of the plaintiff’s name or likeness without his consent for the defendant’s advantage; (3) Disclosure to the public of embarrassing private facts; (4) Placing the plaintiff in a false light in the public eye.” WILLIAM L. PROSSER, THE LAW OF TORTS §§ 804-14 (4th ed. 1971). 159. Pardee, supra note 131, at 1252. 160. See id. 161. Id. 162. See id. at 1254. 163. See infra notes 174–91 and accompanying text. 155. 156. 157. 158. 930 NEW ENGLAND LAW REVIEW [Vol. 35:4 1. The Massachusetts Constitution and Common Law Similar to the U.S. Constitution, the Massachusetts Constitution does not actually contain a specific provision regarding the individual privacy rights of its citizens.164 However, in numerous cases the Massachusetts Supreme Judicial Court has followed the lead of the U.S. Supreme Court by finding an implied protection of an individual’s privacy rights in certain articles of the State Constitution. 165 The Court is able to do this by recognizing that certain “zones of privacy” exist for every citizen, and the government may not intrude upon these without demonstrating a compelling state interest.166 Even if the government can show that a 164. See Barry L. Mintzer, Employee Mental Health and Other Sensitive Records, in 1 MASSACHUSETTS CONTINUING LEGAL EDUCATION, DRAFTING EMPLOYMENT DOCUMENTS IN MASSACHUSETTS : § 10.5.2 (Ann G. Leibowitz ed., 1997). However, a minority of states have included express rights to privacy in their constitutions. See, e.g., A LASKA CONST. art. I, § 22 (1972); ARIZ. CONST. art. II, § 8 (1910); CAL. CONST. art. I, § 1 (1972); FLA. CONST. art. I, §§ 12, 23 (1982); HAW. CONST. art. I, §§ 6, 7 (1968, 1978); ILL. CONST. art. I, §§ 6, 12 (1970); LA. CONST. art. I, § 5 (1974); M ONT. CONST. art. II, § 10 (1972); S.C. CONST. art. I, § 10 (1971); WASH. CONST. art. I, § 7 (1889). See also Arnold, supra note 7, at 477 n.135. 165. See Mintzer, supra note 164, at § 10.5.2. The Massachusetts courts have implied privacy rights into articles I, XIV, and XVI of the Massachuse tts Declaration of Rights. See id. Article I declares that: All people are born free and equal and have certain natural, essential and unalienable rights; among which may be reckoned the right of enjoying and defending their lives and liberties; that of acquiring, possessing and protecting property; in fine, that of seeking and obtaining their safety and happiness. Equality under the law shall not be denied or abridged because of sex, race, color, creed or national origin. MASS. CONST. pt. 1, art. I. Individual privacy rights are also implied in article XIV which asserts that: Every subject has a right to be secure from all unreasonable searches, and seizures, of his person, his houses, his papers, and all his possessions. All warrants, therefore, are contrary to this right, if the cause or foundation of them be not previously supported by oath or affirmation; and if the order in the warrant to a civil officer, to make search in suspected places, or to arrest one or more suspected persons, or to seize their property, be not accompanied with a special designation of the persons or objects of search, arrest, or seizure: and no warrant ought to be issued but in cases, and with the formalities prescribed by the laws. MASS. CONST. pt. 1, art. XIV. These privacy rights are further implied in article XVI which states that “[t]he liberty of the press is essential to the security of freedom in a state: it ought not, therefore, to be restrained in this commonwealth. The right of free speech shall not be abridged.” MASS. CONST. pt. 1, art. XVI. 166. See Mintzer, supra note 164, at § 10.5.1. 2001] WELD V. CVS PHARMACY, INC. 931 compelling state interest exists, it must use the least intrusive method available to achieve the legitimate public goal. 167 In following the lead of the U.S. Supreme Court, application of the privacy rights found in the Massachusetts Constitution is only effective when the privacy violations are instigated by the government and appears to have no impact whatsoever on privacy invasions initiated by private entities because “state action” is lacking.168 A great deal of the interpretation relating to privacy that is extended to the U.S. and Massachusetts Constitutions is borrowed from common law theories.169 These include “torts of intrusion upon an individual’s solitude or seclusion, and public disclosure of private facts.”170 As far back as 1912, prior to the enactment of any privacy statutes, the Massachusetts courts discussed and considered the possibility of a common law cause of action encompassing privacy violations.171 Privileged or confidential communications are also recognized at common law. 172 These include conversations between a husband and wife, and a variety of other privileged communications which permit an individual to withhold testimony about himself by another person. 173 2. Statutory Protection for Medical and Mental Health Records The Massachusetts Legislature certainly has tried to protect the confidentiality of medical and mental health records through its enactment of a number of statutes that prevent access to such information. 174 The See id. See infra note 251-53 and accompanying text. See Mintzer, supra note 164, at § 10.5.4. Id. See supra notes 137–44 and accompanying text. See Mintzer, supra note 164, at § 10.5.4. See id. See id. § 10.6.1(a). In the early 1970s, a Special Legislative Commission on Privacy was formed “to investigate and study personal data gathering, maintenance and dissemination practices in Massachusetts, asse ss their implications on civil liberties and the rights of informational privacy and make recommendations to rectify and prevent related problems.” SPECIAL LEGIS. COMM’ N ON PRIVACY, SECOND INTERIM REPORT OF THE LEGIS. COMM’ N ON PRIVACY, H.R. DOC. NO. 6106, available in Massachusetts Legislative Documents, Vol. 6051-6199, at 7 (1975). Many other states have also enacted laws to protect an individual’s medical information from disclosure. See ROBERT E LLIS SMITH, COMPILATION OF S TATE AND FEDERAL PRIVACY LAWS 32, 32-36, 46-47 (1992). For example, California, which forbids the disclosure of a patient’s medical information unless written permission is first obtained from the patient. See id. at 32. Further, Colorado has included medical records in the state criminal theft statute, clearly indicating that the information contained in medical records is considered as having value under the law. See id. The Colorado Criminal Code states that “[a]ny person who, without proper authorization, knowingly obtains a 167. 168. 169. 170. 171. 172. 173. 174. 932 NEW ENGLAND LAW REVIEW [Vol. 35:4 Massachusetts Patients’ and Residents’ Rights Law provides privacy rights to any records, communications, and treatment occurring in a hospital or healthcare facility licensed by or subject to licensing by the Commonwealth.175 Another statute provides for a psychotherapist-patient privilege.176 This law allows a patient or their psychotherapist to refuse to disclose any and all communications between the patient and the therapist provided the communications were made in the course of diagnosis or treatment of the patient’s mental or emotional condition.177 Similarly, the Legislature has created statutes that protect the confidentiality of communications between licensed social workers and their clients, 178 as well as between psychologists and their clients. 179 To further protect an medical record or medical information with the intent to appropriate [it] to his own use or the use of another, who steals or discloses to an unauthorized person a medical record or medical information . . . commits a theft.” Id. (citation omitted). Minnesota has a patient’s bill of rights which requires that every consideration be given to maintain a patient’s privacy and individuality. See id. at 34. In Nevada patients may either personally refuse to disclose their health information or they may forbid others from disclosing it. See id. at 35. New York recognizes privileged communications between patients and nurses as well as between patients and physicians. See id. Rhode Island requires organizations maintaining medical information to implement policies which will assure privacy, and the state of Wisconsin mandates the confidentiality of patient records with the exception of those used in healthcare to process payments, claims, and for research. See id. at 36. 175. See MASS . GEN. LAWS ch. 111, § 70E (2000). This statute states in part that “[e]very patient or resident of a facility shall have the right: . . . to confidentiality of all records and communications to the extent provided by law . . . .” Id. § 70E(b). However, there is an exception under this statute permitting third-party payers to examine medical records in order to determine a patient’s eligibility or entitlement to benefits, as long as the policy under which the claim is made allows access to such records. See id. § 70E(n)(h)(4). This statute provides that “all records relating to diagnosis, treatment, or other services provided to any person, including a minor or incompetent,” are available to third -party payers for inspection, copying and to aid in determining the patient’s eligibility for benefits. Id. 176. See MASS . GEN. LAWS ch. 233, § 20B. 177. See id. 178. See id. ch. 112, § 135. This Statute prohibits a licensed social worker from disclosing information communicated to them by their clients, unless the client provides the social worker with written consent to do so. See id. It also gives a social worker permission to disclose confidential communications if “the social worker has a reasonable basis to believe that there is a clear and present danger that the client will attempt to kill or inflict serious bodily injury against a reasonably identified victim . . . [or himself and refuses to voluntarily accept further suitable treatment].” Id. § 135A(c)(2). 179. See id. ch. 112, § 129A. Psychologists also have a duty to keep all communications between themselves and their clients confidential. See id. However, this duty is suspended if the client presents a clear and present danger to 2001] WELD V. CVS PHARMACY, INC. 933 individual’s medical records, Massachusetts law provides that any record of a patient’s treatment in a drug or alcohol rehabilitation facility must be kept confidential.180 This Statute also indicates that these records may only be made available by judicial order.181 In order for the patient to authorize disclosure of his records at a drug rehabilitation facility, the patient must provide the facility with written permission, including his signature, and the disclosure must be for the patient’s benefit.182 “[The] consent . . . [also must] state the name of the person or organization to whom the disclosure is to be made, the specific type of information to be disclosed, and the purpose or need for such disclosure.” 183 Additionally, the legislature has limited the right of an employer to acquire information regarding an employee or job applicant’s treatment for mental illness.184 An employer may not refuse to hire or discharge an individual from employment based on the applicant or employee’s failure to provide information regarding their prior admission to a mental health facility, unless the request is based on a genuine occupational requirement.185 Moreover, if the applicant or employee has been discharged from the facility, is no longer under treatment, and can prove that they are mentally competent to perform the job, via a psychiatrist’s certificate, the employer may not use this information as grounds for an adverse employment decision.186 3. The Fair Information Practices Act The legislature has made another effort to protect the privacy of individuals in Massachusetts with the enactment of the Fair Information Practices Act (FIPA).187 This statute establishes the general duties of governmental officials with regard to the use of personally-identifiable data as well as the rights of individuals with respect to such data. 188 The himself or to others and refuses to voluntarily accept the necessary treatment. See id. § 129A (1)-(2). 180. See id. ch. 111E, § 18, ch. 111B, § 11. 181. See id. 182. See MASS . GEN. LAWS ch. 111E, § 18(a) (2000). 183. Id. 184. See id. ch. 151B, § 4(9A). 185. See id. 186. See id. 187. See id. ch. 66A, § 3. 188. See Donna E. Arzt, Privacy Law in Massachusetts: Territorial, Informational and Decisional Rights, Vol. 70, #4 MASS. L. REV. 173, 182 (1985). Personal data includes “any information concerning an individual which, because of name, identifying number, mark or description can be readily associated with a particular individual, and which is accessible by such name, mark, or description, provided, however, that such information is not contained in a public record . . . .” SPECIAL LEGIS . COMM’ N ON PRIVACY, SECOND INTERIM REPORT OF THE LEGIS. 934 NEW ENGLAND LAW REVIEW [Vol. 35:4 law’s “purpose is to provide safeguards for the selection and use of personal information, provide reasonable access by individuals to their records, provide a system of registration and identification of stateoperated personal data systems and provide civil remedies for violations of its provisions.”189 However, FIPA only protects the private records of individuals collected by certain governmental entities. 190 Consequently, it affords no protection to an individual’s personal records, including medical records, which are collected and maintained by private organizations. 191 Accordingly, it fails to protect the type of individual data maintained by a private company such as CVS, which may be inclined to disclose the personal information contained in their pharmacy records for their own economic benefit. Many Massachusetts statutes require medical personnel in private practice to maintain records and report information regarding particular medical conditions to the Departments of Public Health or Safety. 192 The conditions that must be reported by law include “birth defects, gunshot wounds, venereal and other communicable diseases.” 193 These statutes do not require the patient’s consent in order for the reporting to occur and most of these reports are not considered public records of the agency. 194 Additionally, the statutes clearly indicate the penalties for disclosure of an individual’s personal identity in connection with this information. 195 D. Where does Weld v. CVS Pharmacy, Inc. fit into Massachusetts Law It is clear that the Massachusetts Legislature is immensely concerned with privacy issues as evidenced by the myriad of legislation that has been enacted. However, not one of these statutes directly addresses the problem in Weld.196 It seems that the Massachusetts Right of Privacy Statute197 with its broad language, offers the only possibility of protection for the personal information contained in pharmacy records. By applying the language of this statute, the court could find that when a pharmacy COMM’ N ON PRIVACY, H.R. D OC. NO. 6106, available in Massachusetts Legislative Documents, Vol. 6051-6199, at 12 (1975). 189. S PECIAL LEGIS . C OMM ’ N ON PRIVACY , R EPORT OF THE LEGIS . C OMM’ N ON PRIVACY, H.R. DOC. NO. 5417, available in Massachusetts Legislative Documents, Vol. 13, at 31 (1975). 190. See Arzt, supra note 188, at 182. 191. See id. 192. See id. at 188. 193. Id. 194. See id. 195. See id. 196. No. 98-0897F, 1999 Mass. Super. LEXIS 261, at *3 (June 1, 1999). 197. MASS . GEN. LAWS ch. 214, § 1B (2000). 2001] WELD V. CVS PHARMACY, INC. 935 uses the prescription records of its customers to aid private companies with marketing strategies, this constitutes an interference with those customer’s privacy that is “unreasonable, substantial, or serious.”198 Furthermore, if the Massachusetts Legislature does not enact a law specifically designed to protect the privacy of an individual’s prescription and medical information, the courts have little choice other than to safeguard these records with the more general Right of Privacy Statute. 199 When considering the expanse of the current privacy protections created by the legislature, it could be assumed that the legislature consciously chose not to enact specific protections for prescription information in the possession of private entities, having determined that this information was adequately protected by the Right of Privacy Statute or the more specific Massachusetts Code of Regulations which includes regulations overseeing pharmacists.200 However, the private sector would likely interpret the absence of a specific law governing the disclosure of these records as intentionally omitted. These private organizations would argue that the legislature, which has so adeptly enacted legislation to protect individual privacy, must have intentionally excluded similar protections for pharmacy records maintained in the private sector because they deemed such protections unnecessary. Nonetheless, this flimsy argument is 198. Id. 199. The state of Rhode Island has enacted legislation that provides specific protections to the medical records of individuals. See R.I. GEN. LAWS § 5-37.3-4 (2000). This statute, entitled the Confidentiality of Health Care Communications and Information Act [hereinafter the Act], “establish[es] safeguards for maintaining the integrity of confidential health care information that relates to an individual.” Id. § 5-37.3-2. The Act appears to accomplish this goal by requiring a patient’s written consent whenever their confidential health care information is released, with some important exceptions. See id. § 5-37.3-4(a). These exceptions include: release of confidential information to other medical personnel, when necessary for diagnosis or treatment in an emergency; to qualified personnel conducting scientific research; to appropriate law enforcement personnel by a healthcare provider; to third party health insurers; to the attorney or medical liability insurance carrier of a healthcare provider; to public health authorities; for information regarding a worker’s compensation claim; to appropriate school authorities of disease by a healthcare provider; to a court pursuant to a subpoena; to the central cancer registry; and to family services along several other entities further described in the statute. See id. § 5-37.3-4(b). Entities falling under the exceptions of the Act are not required to obtain written permission from individuals before releasing or accessing their medical records. Also, these exceptions do not permit disclosure of personal medical information to most private organizations. See id. It is also important to note that the Act provides various penalties for those who violate it. See id. § 5-37.3-4(a)(1-3). These include actual and punitive damages, attorney’s fees, a $5000 fine or up to six months imprisonment. See id. § 5-17.3-4(a)(1-3). 200. See MASS . R EGS . C ODE tit. 247, §§ 9.01(1-19) (1999); see also infra notes 358-68 and accompanying text. 936 NEW ENGLAND LAW REVIEW [Vol. 35:4 unreasonable because it assumes that the legislature has the resources to enact laws protecting an individual’s privacy in every imaginable situation where the potential for an inappropriate invasion exists. Therefore, until the legislature observes that pharmacy records are inadequately protected, it might simply assume that this information is sufficiently safeguarded under the Right of Privacy Statute and the Massachusetts Code of Regulations.201 In Weld, the defendant argued that there was no unreasonable, substantial or serious interference with either plaintiffs’ privacy because the information received by the drug manufacturers and the mailing company was not confidential in nature.202 CVS contended that it never provided Elensys or the drug companies with any of plaintiff Kelley’s prescription information and that the only information disclosed to these entities was the plaintiff’s name, address, and date of birth. 203 CVS further reasoned that “[a]s a matter of law, such disclosures are insufficient to give rise to a violation of G.L. c. 214, section 1B, which proscribes only the ‘disclosure of facts about an individual that are of a highly personal or intimate nature.’”204 However, the plaintiffs in Weld not only complained about the use of their names, addresses, and dates of birth without their permission, “but [also] complain[ed] that CVS’s marketing program as a whole, which involved at least the use of Kelley’s name, address and date of birth in conjunction with the systematic searching of customer prescription records, constitute[d] a violation of plaintiffs’ right of privacy.”205 The defendant used Pottle v. School Committee of Braintree206 to support his proposition that a violation of privacy does not occur when names and addresses alone are disclosed.207 However, the court explained that “the issue in Pottle was factually more narrow” concerning only “whether the disclosure of the names and addresses of public school employees fell within the privacy exemption of the public records statute,” section 7 of 201. See MASS . R EGS . C ODE tit. 247, § 9.01 (1999). 202. See Defendant’s Memorandum in Support of the Motion for Summary Judgment at 11, Weld v. CVS Pharmacy, Inc., 10 Mass. L. Rptr. No. 10, 217 (Mass.Super. 1999) (No. CIV. A. 98-0897F) [hereinafter Defendant’s Mem. Supp. Summ. J.]. 203. See id. 204. Id. (quoting Bratt v. International Business Machines Corp., 467 N.E.2d 126, 133-34 (1984)). 205. Weld, 1999 Mass. Super. LEXIS 261, at *14. The court hearing the summary judgment motion asserted that the Right of Privacy statute neither require that the private information be disclosed to the public at large, nor “rule[s] out at least the possibility that the use of names and addresses for the purposes involved here, might constitute a violation.” Id. (citation omitted) 206. 482 N.E.2d 813 (Mass. 1985). 207. See Weld, 1999 Mass. Super. LEXIS 261, at *11-*12. 2001] WELD V. CVS PHARMACY, INC. 937 chapter 26 of the Massachusetts General Laws.208 The Pottle “court said that names and addresses [were] not ‘intimate details of a highly personal nature,’ and that ‘public employees, by virtue of their public employment, have diminished expectations of privacy,’ so that such information could be disclosed.”209 Conversely, in Weld, the plaintiffs did not relinquish their expectations of privacy since they were not public employees. 210 Furthermore, the actual letters mailed included information specifically 208. Id. at *12. 209. Id. (citing Pottle v. School Comm. of Braintree, 482 N.E.2d 813, 817 (Mass. 1985)). Several other authorities cited by the defendant are also distinguishable for various reasons from the instant case. See Plaintiff’s Memorandum in Opposition to Defendant’s Motion for Summary Judgment at 21, Weld v. CVS Pharmacy, Inc., 10 Mass. L. Rptr. No. 10, 217 (Mass.Super. 1999) (No. CIV. A. 98-0897F) [hereinafter Plaintiff’s Mem. Opp’n. Summ. J.]. “Mulgrew v. City of Taunton, [574 N.E.2d 389 (Mass. 1991)] and Folmsbee v. Teck Tool Grinding & Supply, Inc., [630 N.E.2d 586 (Mass. 1994)] involved disclosure of personal information that would otherwise violate the statute but that, unlike the situation in this case, was found to be reasonable because of the employer’s legitimate business interests.” Id. at 21 n.33. Likewise, “Schlessinger v. Merrill Lynch, Pierce Fenner & Smith, [567 N.E.2d 912 (Mass. 1991)] held that cold calls from securities brokers to solicit business, while annoying, did not substantially or seriously interfere with the plaintiff’s privacy. However, that conduct involved no disclosure of any type of personal information.” Id. (citation omitted). Similarly, “Flesner v. Technical Communications Corporation, [575 N.E.2d 1107 (Mass. 1991)] and Canney v. City of Chelsea, 925 F.Supp. 58 (D.Mass. 1996) are distinguishable because in those cases, there was no evidence of any private information having been disclosed.” Id. at 21 n.33. Also in “Petsch-Schmid v. Boston Edison Company, 914 F.Supp. 697 (D.Mass. 1996), the [c]ourt found that communications alleged to have interfered with the plaintiff’s privacy were either privileged or authorized in connection with the plaintiffs’ employment or otherwise justified.” Id. at 21-22 n.33 (citation omitted). Finally, there is Cort v. Bristol-Meyers Company, [431 N.E.2d 908 (Mass. 1982)], which has a unique fact pattern that is inapplicable to the present case. See Plaintiff’s Mem. Opp’n. Summ. J. at 22 n.33. The plaintiff-employees in Cort “complained about personal information requested in an employer’s questionnaire; however, the Court found no invasion of privacy, because they refused to answer the allegedly offensive questions.” Id. (citation omitted). 210. See Weld, 1999 Mass. Super. LEXIS 261, at *12. In Doe v. Registrar of Motor Vehicles, 528 N.E.2d 880 (Mass. App. Ct. 1988), the court addressed an issue regarding the “availability of license applicant information such as name, address, date of birth, social security number and height under” section 30 of chapter 90 of the Massachusetts General Laws, and the court held that this information was not a “public record” and that disclosure of it may “constitute an unwarranted invasion of privacy, even though it was collected for a public purpose.” Weld, 1999 Mass. Super. LEXIS 261, at *12-*13 (citation and footnote omitted). Under sections 7 and 26(c) of chapter 26(c) of the Massachusetts General Laws, any “data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of . . . privacy” is excluded from public record status. Id. at *12 n.11 938 NEW ENGLAND LAW REVIEW [Vol. 35:4 identifying the medical condition the recipient was suffering from, 211 so it can not accurately be maintained by CVS that only names, addresses, and dates of birth were disclosed during this process. The broad language of the Right of Privacy Statute provides little guidance as to the type of behavior that would constitute an interference with privacy, nor have the courts created a bright-line test to determine actionable conduct under the statute.212 However, even interoffice communications among corporate employees containing personal information have been found by the courts to be an invasion of privacy under the statute.213 In Bratt v. International Business Machines Corp.,214 the SJC concluded that when the personal information of an employee is shared with co-workers, this is adequate publication to be deemed a violation of the privacy statute.215 In Tower v. Hirschhorn,216 the SJC similarly held that if confidential medical information is revealed to more than one person without the patient’s consent, this act may be an invasion of privacy.217 Likewise, the confidential prescription information that CVS disclosed is surely among the types of personal information which the Right of Privacy Statute protects from disclosure. 218 The violation of the plaintiffs’ privacy in Weld is even more astonishing in light of the fact that CVS affirmatively represented to its customers that the confidentiality of their prescription records would be preserved.219 These representations were made in a brochure available to all CVS customers at the pharmacy 211. See Plaintiff’s Mem. Opp’n. Summ. J., supra note 209, at 21. For example, the letter sent to plaintiff Kelley states “[I]f you have a history of heart disease or think you may be at risk for it (for example, if you have diabetes . . .).” Id. at 13. Kelley was targeted because he suffered from diabetes and this information was obviously revealed in the letter CVS sent to him. 212. See id. at 18. The Supreme Judicial Court had previously “indicated [sic] that the statute should be applied on a case-by-case basis . . . by balancing relevant factors . . . and by considering prevailing societal values and the ability to enter orders which are practical and capable of reasonable enforcement.” Weld, 1999 Mass. Super. LEXIS 261, at *15 (citations omitted). 213. See id. at *14 n.14 (citing Bratt v. International Business Machines Corp., 467 N.E.2d 126, 134 n.15 (Mass. 1984)). 214. 467 N.E.2d 126 (Mass. 1984). 215. See id. at 134 n.15; Plaintiff’s Mem. Opp’n. Summ. J., supra note 209, at 18 (citation omitted). 216. 492 N.E.2d 728 (Mass. 1986). 217. See id. at 732; Plaintiff’s Mem. Opp’n. Summ. J., supra note 209, at 18 (citation omitted). 218. See Plaintiff’s Mem. Opp’n. Summ. J., supra note 209, at 21; see also, e.g., Pressman v. Brigham Med. Group Found., Inc., 919 F.Supp. 516, 524 (D.Mass. 1996) (denying summary judgment on claim under M.G.L. ch. 214, § 1B that the defendants reviewed the plaintiff’s medical records without permission). 219. See Plaintiff’s Mem. Opp. Summ. J., supra note 209, at 15. 2001] WELD V. CVS PHARMACY, INC. 939 prescription counter.220 A section of the brochure entitled “Answers to Your Questions” stated: “Q. I want my prescription kept private. Who will have access to these records? A. The same people who have always had access to this information: you, your CVS pharmacist and your doctor.”221 The brochure further states: “CVS has always respected the confidentiality of the information in your prescription files and will continue to do so.” 222 At the very least, CVS failed to comply with the express promise in its brochure, and it seems unlikely from the facts of this case that CVS “respected the confidentiality” of their customers’ prescription information. In actuality, CVS did the complete opposite. It used the personal information its customers entrusted to their pharmacists to assist drug manufacturers with their marketing programs. Furthermore, CVS’s argument that its conduct does not constitute a breach of the plaintiffs’ privacy because the information was given to it voluntarily by the plaintiffs 223 is absurd since it is virtually impossible for an individual to legally obtain prescription medication without turning his prescription over to a pharmacist. In Alberts v. Devine,224 the SJC recognized that patients have a legitimate interest in maintaining the confidentiality of medical facts and that this confidentiality is “a cardinal rule of the medical profession, faithfully adhered to, . . . and . . . justifiably relied upon by patients seeking advice and treatment.” 225 The SJC reasoned that public policy favored safeguarding the right of patients to confidentiality.226 Accordingly, patients have the same expectation of and interest in privacy in their medical records, regardless of whether these records are maintained in hospital files, physician’s notes or as part of a prescription.227 Another possible solution to the problem in Weld, would be for CVS and other pharmacies to distribute a consent form to their customers when they fill their prescriptions.228 This document would provide pharmacy customers with the opportunity to indicate to the pharmacy whether or not they are interested in receiving patient education materials. 229 If the customer wishes to receive this additional information, they can provide 220. 221. 222. 223. 224. 225. See id. Id. Id. See Defendant’s Mem. Supp. Summ. J., supra note 202, at 16. 479 N.E.2d 113 (Mass. 1985). Id. at 119 (citing MacDonald v. Clinger, 84 A.D.2d 482, 483 (N.Y. 1982)). 226. 227. 228. 229. See See See See id. Plaintiff’s Mem. Opp’n. Summ. J., supra note 209, at 23. Rubinstein, supra note 36, at 229 n.208. id. 940 NEW ENGLAND LAW REVIEW [Vol. 35:4 their authorization on the form. 230 If they have no interest in this literature, they may decline, and thus avoid receiving any marketing materials from the pharmacy and its partners. 231 Accordingly, the customer’s privacy will be protected from invasion since their personal prescription information will not be used for any targeted mailings. Notably, the controversy with Weld is not the actual harm caused by sending out letters, but the potential for much greater harm if these types of mailing lists fall into the wrong hands. 232 These types of practices tend to blur the lines between marketing and medicine,233 giving the public a negative perception of the pharmaceutical industry’s use of data. 234 This perception tends to limit the industry’s ability to access the type of patient information critical to research, drug development, post-marketing surveys, and educational efforts.235 Likewise, if laws are enacted that impinge on the health care industry’s effectiveness, patients will suffer and health care costs will rise.236 IV. THE RIGHT OF PRIVACY UNDER FEDERAL LAW There are presently no comprehensive federal laws regulating the confidentiality and privacy of an individual’s medical records. 237 The law governing the privacy of these records consists of a patchwork of state and federal laws which leave most types of health records vulnerable to disclosure.238 The health records with the fewest “legal assurances of confidentiality” are those ordinary medical records of individuals collected and maintained by the private sector. 239 These records often 230. See id. 231. See id. 232. See Paul Starr, Electronic Medical Information: Privacy, Liability, & Quality Issues, 25 AM. J.L. & MED. 193, 197-98 (1999). 233. See Henry L. Davis, An Invasion of My Privacy . . . . Blues Members Upset by Name Sharing, BUFFALO NEWS, Sept. 5, 1999, at A1. 234. See Glenna Crooks, Patient Privacy vs. Pharmacy Compliance: Health Care Values Collide, PHARMACEUTICAL EXECUTIVE, Vol. 19, Issue 4 (April 1, 1999). 235. See id. 236. See id. 237. See Turkington & Allen, supra note 125. 238. See id. at 223-24. 239. Richard C. Turkington, Medical Record Confidentiality Law, Scientific Research, and Data Collection in the Information Age, 25 JOURNAL OF LAW, MEDICINE & ETHICS 113, 119 (1997). Most confidentiality law is characterized by a caste system of protecting records. See id. The more intimate and highly personal the health record the stronger the privacy protections. See id. Therefore drug, alcohol, and mental health treatment records along with records of an individual’s HIV status receive the most privacy protection. See id. General health records maintained by government agencies are lower in the caste, but are still given some legal assurances of privacy and confidentiality. See id. In fact, 2001] WELD V. CVS PHARMACY, INC. 941 include general releases authorizing the recipient of the information to further disclose individual medical information for any legal reason and are not unusual in third-party payer and insurance contracts.240 These comprehensive releases lead to the patient losing privacy and confidentiality since they permit medical information to be re-disclosed for uses aside from actual treatment by a medical professional. 241 A. Current Federal Privacy Protections 1. The U.S. Constitution The U.S. Constitution does not expressly entitle individuals to a right of privacy,242 although the “right to be let alone” has long been recognized. 243 The right of privacy implicitly recognized in the Constitution has several aspects.244 Foremost, individuals have the right to make particular personal decisions without having the government interfere.245 These choices may include decisions relating to marriage, procreation, child bearing, child rearing, and various familial relationships. 246 Additionally, these records “are protected by privacy acts, by privacy and medical records exemptions in freedom of information and privacy acts, and by some fair information practices acts. They also enjoy a degree of constitutional protection.” Id. 240. See id. 241. See id.; see also Paul M. Schwartz, The Protection of Privacy in Health Care Reform, 48 VAND. L. REV. 295 (1995) (discussing privacy and data processing issues in health reform). See generally Gostin, supra note 16, at 480; Richard C. Turkington, Legal Protection for the Confidentiality of Health Care Information in Pennsylvania: Patient and Client Access; Testimonial Privilege; Damage Recovery for Unauthorized Extra-Legal Disclosure, 31 VILL. L. REV. 259 (1987) (discussing the various laws involving the confidentiality of health records). 242. See Jonathan Brant, A General Introduction to Privacy, 61 MASS . L.Q. 10, 11 (1976). 243. Olmstead v. United States, 277 U.S. 438, 478 (1928) (Brandeis, J., dissenting). 244. See Arnold, supra note 7, at 472. 245. See id. In Roe v. Wade, 410 U.S. 113 (1973), the right to privacy was expanded to include abortions affording individuals greater privacy protection in reproductive matters. See Rubinstein, supra note 36, at 206 n.24. Furthermore, in Eisenstadt v. Baird, 405 U.S. 438 (1972), the right to privacy was recognized as belonging to the individuals in a marital relationship and not just to the marital relationship itself. See id. Finally in Griswold v. Connecticut, 381 U.S. 479 (1965), the U.S. Supreme Court acknowledged the existence of privacy rights allowing married couples to control decisions in reproductive matters. See id. 246. See Arnold, supra note 7, at 472 n.97 (citing Roe v. Wade, 410 U.S. 113, 153 (1973), Doe v. Bolton, 410 U.S. 179, 192 (1973) (finding that the right of privacy can extend to protect a woman’s choice to end a pregnancy); Eisenstadt v. Baird, 405 U.S. 438, 453 (1972); Griswold v. Connecticut, 381 U.S. 479, 485-86 942 NEW ENGLAND LAW REVIEW [Vol. 35:4 “disclosure privacy,” which refers to an individual’s ability to control the time, place and manner in which private information is revealed to others, protects an individual’s right to not have his private affairs made public by the government.247 Furthermore, the tradition of civil rights in the U.S. prevents the government from forcing “disclosure of certain aspects of private life, especially where relationships based on trust and confidentiality are involved.”248 The U.S. Constitution also prohibits the government from surveillance of and intrusion into the private lives of individuals.249 However, most of these protections are only actionable when the government is involved in the privacy intrusion. 250 Generally, the privacy rights contained in the Constitution will only protect an individual from governmental privacy invasions and not from those by private groups or individuals.251 Unfortunately, “the overwhelming majority of . . . medical information in the United States is . . . in the hands of the [private sector], . . . such . . . as non-governmental doctors and hospitals, and insurance companies.”252 Private entities such as these are highly unlikely to meet the tests necessary to establish state action and, therefore, individuals whose privacy is invaded by such organizations will not be protected under constitutional law.253 Even though many feel they have a right to keep their medical records private, the Supreme Court has been hesitant to acknowledge this. 254 In Whalen v. Roe,255 the Supreme Court addressed the issue of whether the State of New York could maintain, in a centralized database, the names and addresses of individuals filling prescriptions for certain dangerous (1965) (holding that contraceptives are included in the right of privacy); Pierce v. Society of Sisters, 268 U.S. 510, 534-35 (1925); Meyer v. Nebraska, 262 U.S. 390, 399 (1923) (deciding that the Constitution protects an individual’s freedom to make decisions involving matters of child rearing)). 247. See Arnold, supra note 7, at 472. 248. Id. 249. See id. at 473. “The Fourth Amendment’s prohibition against unreasonable searches and seizures restrains government access to info rmation that the individual reasonably expects to be kept private. This protects both paper documents and electronic signals.” Id. (footnotes omitted). 250. See S CHWARTZ & R EIDENBERG , supra note 123, at 172. 251. See id. This limitation is expressed in Constitutional law by the “state action” doctrine. See id. “Before constitutional rights can be relied upon, the state action doctrine requires action by the government itself or a close nexus between the government and the behavior of the private entity that has infringed [upon] the right.” Id. 252. Id. 253. See id. 254. See Rubinstein, supra note 36, at 207. 255. 429 U.S. 589 (1977). 2001] WELD V. CVS PHARMACY, INC. 943 medications which are available through both legal and illegal channels. 256 The Court decided that since the statute was an “orderly and rational legislative decision, . . . the legislature’s enactment of the patientidentification requirement was a reasonable exercise of New York’s broad police powers,” which was necessary to “minimize the misuse of dangerous drugs” and to control their distribution. 257 The Supreme Court indicated that even though the case law contained informational privacy rights prohibiting the “disclosure of personal matters” and protecting the independence in decision-making,258 New York’s procedure for data collection did not infringe upon either of these two interests.259 The Court reasoned that the state’s security measures in collecting and maintaining a patient’s personal medical data were adequately designed to insure protection from public disclosure. 260 The Court further stated that the New York statute did not interfere with the patient’s decision-making since “the decision to prescribe, or to use” remained within the control of the doctor and the patient. 261 Although Whalen has the potential to be a key component in data privacy law, it has failed to produce strong federal protections for medical privacy.262 Many lower courts have applied the first Whalen interest of 256. 257. 258. 259. See id. at 591. Id. at 597-98. Id. at 599-600. See id. at 600. The Court noted that: [The private information that must be disclosed under the statute is not] meaningfully distinguishable from a host of other unpleasant invasions of privacy that are associated with many facets of health care. Unquestionably, some individuals’ concern for their own privacy may lead them to avoid or to postpone needed medical attention. Nevertheless, disclosures of private medical information to doctors, to hospital personnel, to insurance companies and to public health agencies are often an essential part of modern medical practice even when the disclosure may reflect unfavorably on the character of the patient. Requiring such disclosures to representatives of the State having responsibility for the health of the community, does not automatically amount to an impermissible invasion of privacy. Id. at 602. 260. See Whalen v. Roe, 429 U.S. 589, 601 (1977). 261. Id. at 603. 262. See S CHWARTZ & R EIDENBERG , supra note 123, at 174; see also Doe v. Southeastern Penn. Transp. Auth., 72 F.3d 1133, 1137-38, 1143 (3d Cir. 1995) (finding that the privacy protection granted in Whalen to an individual’s medical records should be expanded to include prescription records since “[i]t is now possible from looking at an individual’s prescription records to determine that person’s illnesses, or even to ascertain such private facts as whether a woman is attempting to conceive a child through the use of fertility drugs;” and further stating that “a self-insured employer’s need for access to employee prescription records under its health insurance plan, when the information disclosed is only for 944 NEW ENGLAND LAW REVIEW [Vol. 35:4 “nondisclosure” to “governmental attempts to obtain or examine [individual] medical information,” but have been inconsistent in their application.263 Some of these courts have interpreted Whalen as authorizing all legitimate requests for medical data by the government, while others have allowed the “nondisclosure interest” to apply only to a limited group of fundamental constitutional rights, thus restricting the government’s access to some medical data. 264 Any further interpretation of the second Whalen interest of “autonomy in decision-making” has been almost completely absent from subsequent decisions similar to Whalen.265 The due process clause of the Fourteenth Amendment can be violated if an individual’s medical information is disclosed without consent. 266 This amendment recognizes as a liberty interest an individual’s freedom to care for his or her health.267 The release of private medical information can also impact a person’s property interest in his reputation. 268 Therefore, the the purpose of monitoring the plans by those with a need to know, outweighs an employee’s interest in keeping his prescription drug purchases confidential” because the intrusion is trivial); Doe v. Borough of Barrington, 729 F. Supp. 376, 384-85 (D.N.J. 1990) (holding that “[d]isclosures about AIDS cause a violation of the family’s privacy much greater than simply revealing any other aspect of their family medical history,” and recognizing that an individual’s “privacy interest in [their] exposure to the AIDS virus is even greater than [their] privacy interest in ordinary medical records because of the stigma that attaches with the disease”); United States v. Westinghouse Elec. Corp., 638 F.2d 570, 580 (3d Cir. 1980) (holding “that the strong public interest in facilitating the research and investigations of [the National Institute for Occupational Safety and Health (NIOSH)] justify . . . minimal intrusion into the privacy which surrounds [the medical records of Westinghouse employees], and that Westinghouse is not justified in its blanket refusal to give NIOSH access to them”); United States v. Acklen, 690 F.2d 70, 75 (6th Cir. 1982) (concluding that “the pharmaceutical industry . . . is a pervasively regulated industry and that consequently pharmacists and distributors subject to the Controlled Substances Act have a reduced expectation of privacy in the records kept in compliance with the Act,” and under certain circumstances the government may inspect these records by obtaining only an administrative inspection warrant and not a search warrant); Stone v. City of Stow, 593 N.E.2d 294, 300-01 (Ohio 1992) (finding that “[s]ince a pharmacy is a pervasively regulated business, the ‘administrative search’ exception to the warrant requirement applies [leaving the] pharmacist [with] a reduced expectation of privacy in the prescription records he or she keeps”). 263. S CHWARTZ & R EIDENBERG , supra note 123, at 174; see also, e.g., Mann v. University of Cincinnati, 824 F. Supp. 1190 (S.D. Ohio 1993); Doe v. Borough of Barrington, 729 F. Supp. 376 (D.N.J. 1990). 264. See S CHWARTZ & R EIDENBERG , supra note 123, at 174-75; see also, e.g., Walls v. City of Petersburg, 895 F.2d 188 (4th Cir. 1990). 265. See S CHWARTZ & R EIDENBERG , supra note 123, at 175. 266. See Arnold, supra note 7, at 473. 267. See id. 268. See id. (citing Whalen v. Roe, 429 U.S. 589, 599-600 (1977) (finding that individuals have a protected privacy interest in avoiding disclosure of private 2001] WELD V. CVS PHARMACY, INC. 945 collection and maintenance of medical information implicates procedural due process concerns as well.269 However, this amendment does not provide an absolute right of privacy for a person’s health records.270 The state need only demonstrate a compelling interest in order to justify regulation of protected rights.271 “For example, public health concerns can outweigh the private interest in avoiding disclosure of individual disease; prescription data can be seized to monitor possible drug abuse; and a national health care program . . . may proscribe the individual’s ability to make . . . decisions concerning health care.”272 Although CVS and drug manufacturers may not be able to show a compelling interest in having private health data disclosed, this is presently of no consequence because the protections of the U.S. Constitution are only applicable when government action is involved. 273 As a result, individuals are not protected from the invasive actions of the private sector.274 When individual privacy is invaded by private entities, the Constitution offers no assistance.275 2. Federal Statutory Protections Federal statutory provisions have also failed to adequately support the limited constitutional safeguards for medical privacy, 276 and as the use of computer technology grows, so does the abuse of an individual’s privacy interest in their medical records.277 One specific federal regulation of prescription records was provided by the Omnibus Budget Reconciliation Act of 1990278 (OBRA), which transformed the pharmacist’s role. 279 OBRA placed responsibility on all states to create laws requiring pharmacists to take on particular legal responsibilities. 280 These minimum standards set in OBRA are used by the federal government as a Medicaid information). But see Paul v. Davis, 424 U.S. 693, 712-13 (1976) (holding that state tort law protects an individual’s interest in their reputation unless it affects a substantial interest such as employment, which would then be considered a deprivation of a liberty or property interest)). 269. See Arnold, supra note 7, at 473. 270. See id. at 474. 271. See id. 272. Id. 273. See S CHWARTZ & R EIDENBERG , supra note 123, at 172. 274. See id. 275. See id. 276. See id. at 175. 277. See Arnold, supra note 7, at 474. 278. 42 U.S.C. § 1396r-8 (1994 & Supp. IV 1999). 279. See Brenda Jones Quick, The Cost of the Omnibus Budget Reconciliation Act of 1990, 2 OHIO N.U. J. OF PHARMACY & L. 145, 145 (1994). 280. See id. 946 NEW ENGLAND LAW REVIEW [Vol. 35:4 funding mechanism.281 Under this statute, pharmacists must try to obtain personal data on each patient, including their medical history, 282 and must counsel their patients on certain designated matters. 283 Furthermore, they must also create patient profiles which should include the state of the patient’s disease in addition to notations made by the pharmacists. 284 In addition to OBRA, many state legislatures have extended the pharmacist’s authority to include the initiation and adjustment of a patient’s drug therapy and the ordering of laboratory testing. 285 This extension is supported by both the federal and states’ legislatures’ beliefs that appropriate medication use by patients will significantly reduce the cost of healthcare.286 Enlargement of the pharmacist’s authority along with the ability to access all relevant information will result in better informed pharmacists who can provide superior treatment. 287 Although OBRA may help to reduce some healthcare costs, its drafters failed to consider that many people view their medical information with exceeding sensitivity, requiring a heightened level of privacy. 288 This is particularly true since the statute fails to give patients any legal guarantees that their pharmacy records will remain confidential and will not be disclosed without their consent some time in the future. 289 Not surprisingly, patients are often hesitant to disclose information with 281. See Berger, supra note 23, at 140. 282. See 42 U.S.C. § 1396r-8 (g)(2)(A)(ii)(II) (1994 & Supp. IV 1999). 283. See id. § 1396r-8 (g)(2)(A)(ii)(I). The following information assists pharmacists with the required counseling: (aa) The name and description of the medication. (bb) The route, dosage form, dosage, route of administration, and duration of drug therapy. (cc) Special directions and precautions for preparation, administration and use by the patient. (dd) Common severe side or adverse effects or interactions and therapeutic contraindications that may be encountered, including their avoidance, and the action required if they occur. (ee) Techniques for self-monitoring drug therapy. (ff) Proper storage. (gg) Prescription refill information. (hh) Action to be taken in the event of a missed dose. Id. See Berger, supra note 23, at 140. See id. See id. See id. See Quick, supra note 279, at 160-61. See id. An Ohio court ruled that a “statutory and regulatory program allowing officers and pharmacy board agents to inspect records withstands constitutional scrutiny” because patients had no legitimate privacy expectatio n. See Stone v. Stow, 593 N.E.2d 294, 297 (Ohio 1992). 284. 285. 286. 287. 288. 289. 2001] WELD V. CVS PHARMACY, INC. 947 pharmacists that they wish to keep private. 290 It is clear that once individuals discover the lack of legislation protecting the confidentiality of their pharmacy records and communications with their pharmacist, there could be a “chilling effect on the pharmacist’s efforts to collect the data . . . [needed] to provide proper counseling as required by OBRA.”291 However, through the enactment of regulations guaranteeing patients some degree of confidentiality with regard to their pharmacy records and communications with their pharmacist, Congress could ameliorate this statutory deficiency.292 Congress provided more general privacy protections with its enactment of the Privacy Act293 and the Freedom of Information Act (FOIA), 294 both of which were created to protect individuals from covert government control of private information.295 These laws promote protection of confidential information, yet also allow access to it. 296 The Privacy Act is presumed to give individuals control over the use and collection of private information by the federal government.297 When agencies gather data on individuals, this statute requires them to give notification that the data is being collected, to explain the purpose for which the data is being collected, and to inform the individuals as to voluntary or mandatory nature of the disclosure.298 The Freedom of Information Act makes executive branch records available to any member of the public, unless the records fall within at least one of nine exemptions. 299 One of these exemptions includes “personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.”300 “Congress enunciated . . . [that this particular exemption requires] the balancing of private and public interests.” 301 With regard to medical information, the Privacy Act and FOIA “apply to federal institutions and to Medicare and Medicaid programs [sustained] by a federal agency.”302 The Privacy Act is also applicable to insurance companies participating in the Medicare program and to hospitals See Quick, supra note 279, at 161. Id. See id. See 5 U.S.C. § 552a (1994). See id. See Arnold, supra note 7, at 475. See id. See id. See id.; see also 5 U.S.C. § 552a (e)(3) (1994). See 5 U.S.C. § 552(b). Id. § 552 (b)(6). Department of the Air Force v. Rose, 425 U.S. 352, 373 (1976). Arnold, supra note 7, at 475 (citing HERMAN SCHUCHMAN CONFIDENTIALITY OF HEALTH RECORDS 67 (1982)). 290. 291. 292. 293. 294. 295. 296. 297. 298. 299. 300. 301. 302. ET AL., 948 NEW ENGLAND LAW REVIEW [Vol. 35:4 possessing a government agency contract to maintain medical records.303 However, if a private entity does not participate in a program administered by the federal government, the safeguards offered to individual medical records by these acts are immaterial since the protections solely apply to information maintained and controlled by the federal government. 304 The Americans with Disabilities Act (ADA) 305 is another federal statute that attempts, in part, to protect individual medical records. 306 The ADA’s purpose is to prevent employers from using an employee or job applicant’s health as a consideration in making employment decisions. 307 However, this law has not been able to offer much protection because it is very difficult for most job applicants to prove that their health information was a factor in the employment decision.308 The Age Discrimination in Employment Act309 has proven to be even less helpful.310 This statute forbids the use of age as a consideration in making hiring and firing decisions, however, it does not protect individuals who are adversely affected by such employment decisions resulting from the consideration of medical information.311 Employers today possess a great deal of medical information about their employees.312 The Employment Retirement Income Security Act of 1974 (ERISA) allows many employers to self-insure, and through the process of utilization review, in addition to claims processing and auditing, employers have significant contact with the private medical information of employees.313 Furthermore, a self-insured employer may rewrite his 303. See Arnold, supra note 7, at 475; 5 U.S.C. § 552a (m)(1) (1994 & Supp. IV 1999). See Arnold, supra note 7, at 475. 42. U.S.C. § 12101 (1990). See SCHWARTZ & REIDENBERG , supra note 123, at 177. See id. See id. 29 U.S.C. § 621 (b) (1994 & Supp. IV 1999). See SCHWARTZ & REIDENBERG , supra note 123, at 177. See id. An individual’s medical information is best protected in the United States when treatment is received from a federally funded substance abuse clinic or a facility subject to federal regulation. See id. at 177-78. This is because the laws in this area provide for outstanding data protection. See id. at 177. The goal of these laws is to encourage participation in drug and alcohol treatment programs, thus, the confidentiality of the programs is very structured. See id. 312. See Rubinstein, supra note 36, at 210. 313. See id. In Doe v. Southeastern Pennsylvania Transportation Auth., 72 F.3d 1133 (3d Cir. 1995), the plaintiff sued his employer when his identity appeared in a utilization report linked with his prescription for zidovudine, a drug used to treat HIV, and subsequently the plaintiff’s supervisor revealed the plaintiff’s HIV status to other employees. See id. at 1135-37; Rubinstein, supra note 36, at 210 n.56. The plaintiff prevailed at trial, but his $125,000 award was overturned on appeal because the court reasoned that the employer’s interest in the 304. 305. 306. 307. 308. 309. 310. 311. 2001] WELD V. CVS PHARMACY, INC. 949 health plan excluding high-cost illnesses, after having collected information about high-cost employees plagued by these costly sicknesses.314 The ADA offers no protection to the employee under these circumstances because “[d]iscrimination in health benefits is permissible under the ADA so long as it is based on valid actuarial principles and is not a subterfuge for disability discrimination.”315 B. Proposed Federal Legislation Three bills have been introduced in the U.S. Senate with the intent of protecting the confidentiality and privacy of medical records. 316 The first is sponsored by Senator Patrick Leahy (D-Vt.) and is called the Medical Information Privacy and Security Act (Leahy bill). 317 The second is the Health Care Personal Information Non-Disclosure Act (Jeffords bill), which is sponsored by the Senate Health, Education, Labor and Pensions Committee Chairman James Jeffords (R-Vt.) and Senator Christopher Dodd (D-Ct.).318 The third bill was introduced by Senator Robert Bennett (R-Utah) and is entitled the Medical Information Protection Act of 1999 (Bennett bill).319 These three bills have many similarities, including a finding by Congress that individuals are entitled to confidentiality of their protected medical and health related records and empowering patients to copy, examine and modify their records.320 Furthermore, they require that organizations maintaining this type of information provide notice to consumers detailing the organization’s purpose for using and disclosing data, explaining their confidentiality practices, and notifying consumers of plaintiff’s pharmacy information outweighed the “minimal intrusion” into the plaintiff’s privacy. See id. at 1135, 1143; Rubinstein, supra note 36, at 210 n.56. 314. See generally McGann v. H & H Music Co., 946 F.2d 401 (5th Cir. 1991). 315. GENETIC S ECRETS : P ROTECTING P RIVACY AND C ONFIDENTIALITY IN THE GENETIC ERA 295 (Mark A. Rothstein, ed. 1997). 316. See Rubinstein, supra note 36, at 219. 317. See id. (citing H.R. 1057, 106th Cong., 1st Sess. (1999)). Representative Edward Markey (D-Ma.) introduced the House companion bill. See id. at 219 n.113. 318. See id. at 219 (citing S. 578, 106th Cong., 1st Sess. (1999)). Senator Dodd hopes that this bill will represent a sensible middle ground in all of the proposals previously offered to Congress. See id. 319. See id. (citing S. 881, 106th Cong., 1st Sess. (1999)) This bill is generally favored by the data user community and has been endorsed by forty-four organizations “including the American Association of Health Plans, the Health Insurance Association of America, the Association of American Medical Colleges, the American Hospital Association and the Pharmaceutical Research and Manufacturers Association.” Id. 320. See id. 950 NEW ENGLAND LAW REVIEW [Vol. 35:4 their privilege to access and modify their records. 321 Facilities that house protected medical information and records are required by all three bills to create procedures, policies, and safeguards to ensure the security of these files.322 Also, if an individual’s privacy rights are violated, “all provide a broad array of enforcement mechanisms” against the violators. 323 Not surprisingly, these three bills also contain many disparities. 324 Nonidentifiable health information is exempted from coverage in all of the bills, nonetheless the definition of this term varies in each. 325 The Leahy bill “requires that ‘all personal identifiers . . . have been removed and a good faith effort to evaluate the risks of re-identification has been made.’”326 The Jeffords bill stipulates that “the information ‘does not directly reveal the identity of the individual . . . and there is no reasonable basis to believe that such information could be used, either alone or with other information . . . to reveal the identity of the individual.’” 327 Information is excluded by the Bennett bill “‘from which personal identifiers that directly reveal the identity of the individual . . . or provide a direct means of identifying the individual (such as name, address and social security number) have been removed, encrypted or replaced with a code, such that the identity of the individual is not evident.’” 328 It is likely that this provision will be considered insufficient by groups who argue that it is possible to identify individuals by deciphering encrypted data and connecting it with public information.329 These three bills also approach consent issues in substantially different ways.330 According to the Jeffords bill, providers and payers may demand “that patients consent to disclosure of their medical information for treatment, payment and ‘health care operations’ purposes as a condition of 321. See id. 322. See Rubinstein, supra note 36, at 219. 323. Id. These enforcement mechanisms “include civil and criminal sanctions for wrongful disclosure.” Id. at 219 n.122. 324. See id. at 220. 325. See id. 326. Id. (citation omitted). 327. Id. at 220 (citation omitted). 328. Rubinstein, supra note 36, at 220 (citation omitted). The interpretation of this passage from the Bennett bill will likely hinge on the definition of “evident” being applied. See id. 329. See id. “The obsession of some privacy advocates with the possibility that encrypted or anonymized data will be turned into identifiable data and be publicly released injects a red herring into the privacy debate.” Id. at 229. Although “it may be possible, in theory, for a medical or health policy researcher to identify a data subject from anonymized data, institutional norms already create a substantial disincentive for the researchers to do so.” Id. 330. See id. at 220. 2001] WELD V. CVS PHARMACY, INC. 951 receiving service.”331 Similarly, the Bennett bill provides that all individuals participating in health insurance programs sponsored by their employer or in individual health plans must provide, as a condition of participation, a blanket consent which authorizes use of protected medical information for payment, treatment, and health care operations. 332 However, the Leahy bill with its narrower view, permits payers and providers to condition a patient’s procurement of medical services on the patient’s consent to disclose their information for payment and treatment purposes, omitting the requirement that a patient consents to disclosure for “health care operations” purposes.333 These bills all forbid the withholding of services by payers and providers from patients who did not consent to disclosure of their medical information for marketing purposes.334 Moreover, each addresses the use of identified medical information for the purpose of health research without the individual’s consent.335 Preemption is another issue causing significant discord between the opponents and proponents of these bills. 336 This “debate involves the 331. Id. (citation omitted). Healthcare operations are defined as “act ivities that implement a health benefits contract or those that are part of the management function of health plans and service providers.” Id. Some examples of these functions are “quality assurance, outcomes research, accreditation, licensing, analysis of claims and medical records, utilization review, underwriting, [and] auditing.” Id. 332. See id. 333. See id.; see also supra note 331 (defining healthcare operations). 334. See Rubinstein, supra note 36, at 220. 335. See id. at 221. In the Leahy bill, organizations must first determine whether their stated public health purpose can be achieved by using de-identified data prior to the release of identifiable data. See id. This bill would also expand the “Common Rule,” which currently regulates federally funded research on human subjects to include similar research that is privately funded. See id. Therefore, unless an institutional review board (IRB) determines that waiver of an individual’s consent to disclose identifiable medical data is justifiable, al l privately funded human subject research using such data will require informed consent by the individual research subjects. See id. The Jeffords bill “does not extend the ‘Common Rule’ to privately funded research,” but instead “maintains the status quo on disclosure of protected health information to health researchers for the time being.” Id. If any of three conditions are met, the Bennett bill permits access to identifiable medical information for research purposes. See id. First, under the “Common Rule,” access will be allowed if the research is authorized by an IRB. Second, “[a]ccess to health care records and medical archives may also be granted to researchers, after review by an internal board or committee, under the terms of a written confidentiality agreement between the organization maintaining the records and the researcher.” Id. Third, “access to identifiable health information may also be granted to manufacturers of drugs, medical devices and biologics for monitoring or verifying the safety or efficacy of their products.” Id. 336. See id. at 221-22. 952 NEW ENGLAND LAW REVIEW [Vol. 35:4 extent to which federal legislation will preempt state law.” 337 The data users advocate that any new federal legislation regulating medical record privacy should completely preempt all state law. 338 Conversely, the privacy advocates argue that only less protective state law should be preempted by the new federal legislation. 339 However, both sides agree that a health information system cannot function effectively if it has fifty unique sets of ground rules.340 Data users will likely be unsatisfied by the Jeffords and Leahy bills’ treatment of the preemption issue. 341 The Jeffords bill “protects existing state laws on medical record confidentiality and gives the states eighteen months from the date of its enactment to impose more restrictive regulations.” 342 States will not be permitted to pass any new legislation for the protection of health record confidentiality after the eighteen-month period expires.343 The Leahy bill is even more permissive of preemption than the Jeffords bill. 344 It allows states to legislate more restrictively than the federal government in the area of medical information privacy and confidentiality, and they may do so at any time.345 However, data users will most likely favor the Bennett bill which proposes to preempt practically all state legislation regarding “disclosure and use of identifiable health information,” making federal regulation the last and only word on the subject. 346 C. Weld v. CVS Pharmacy, Inc. and Federal Privacy Protections Although the current federal laws offer protection of some medical records, it is obvious from their descriptions 347 that they fail to safeguard the medical and prescription records of individuals from privately operated entities such as CVS. Even the United States Constitution is only able to offer protection to individuals whose privacy is invaded by the government, and similar to the current federal laws fails to protect against individual privacy violations caused by private organizations. 348 To say the least, legislation protecting individual pharmacy and medical records from disclosure to the private sector is conspicuously absent. 337. 338. 339. 340. 341. 342. 343. 344. 345. 346. 347. 348. Id. at 217. See id. See id. See Rubinstein, supra note 36, at 217. See id. at 221. Id. at 222. See id. See id. See id. Rubinstein, supra note 36, at 222. See supra notes 276–315 and accompanying text. See supra notes 242–75 and accompanying text. 2001] WELD V. CVS PHARMACY, INC. 953 Undoubtedly, the current legislation proposed to safeguard medical record privacy would ease some of the concerns raised in Weld. However, the greatest obstacle to the enactment of one of these proposed bills is the critical requirement of compromise between data users and privacy advocates, especially regarding the issue of preemption. All three of the proposed bills recognize that researchers must be able to access medical data without having to first obtain consent from each and every subject. 349 The bill proposed by Senator Bennett is the most flexible in making data available to institutional researchers, yet it still safeguards patient privacy interests.350 Nonetheless, as data users compare these competing bills they may realize that consent requirements are less of a problem for them than the preemption provisions.351 The Bennett bill proposes to preempt almost all state legislation concerning medical record privacy, while the Jeffords and Leahy bills both permit more restrictive legislation by the states to stand. 352 Accordingly, if the Bennett bill does not prevail, data users face the possibility that their access to data in some states may be restricted by more stringent state laws.353 The consequence of these laws may be restriction on the work of doctors, researchers, health plans, and others who are interested in improving the delivery of healthcare. 354 These potential laws may also cause the undesired result of skewing research conclusions, if they deprive data users of access to information concerning key populations.355 Conversely, the preemption provisions of the Leahy and Jeffords bills would cause the citizens of states choosing not to enact more stringent legislation to bear any minimal privacy invasions resulting from access by researchers to their medical records, while individuals residing in other states would be free from this burden of disclosure. 356 Obviously, some federal protection is needed to safeguard the confidentiality of individual medical records. Without federal legislation in this area, individuals similarly situated to the plaintiffs in Weld will be See Rubinstein, supra note 36, at 230. See id. See id. See id. See id. See id. See Rubinstein, supra note 36, at 230. Other undesirable consequences of state medical record privacy laws that are too restrictive would include placing researchers within the state at a competitive disadvantage in obtaining funding for their work, deterring businesses involved in the development of medical technology from locating in the state, and causing health plans that rely on data to assess the cost effectiveness of medical care to restrict access to certain services or even leave the state altogether. See id. at 230 n.213. 356. See id. at 230. 349. 350. 351. 352. 353. 354. 355. 954 NEW ENGLAND LAW REVIEW [Vol. 35:4 forced to rely on the protections provided, or not provided, by the state in which they or their medical records reside. However, if the nation as a whole is to benefit from the work of data users and researchers, it seems only right that minimal burdens on individual privacy interests be spread among all citizens of the United States, and this can only be achieved by the enactment of certain minimum federal safeguards.357 V. LAWS REGARDING PHARMACISTS A. Massachusetts Laws Governing Pharmacists There is definitely no lack of legislation in Massachusetts overseeing the practice of pharmacy. The state has several requirements and expectations for pharmacists practicing in the Commonwealth which are detailed in a specific set of rules classified in the Code of Massachusetts Regulations under the Board of Registration in Pharmacy 358 as well as in the Massachusetts General Laws.359 The regulations most relevant to the present topic are those requiring pharmacists to maintain the confidentiality of communications between themselves and their patients while also keeping those patients’ records private. 360 The first and most definitive regulation in this area indicates that: 357. See id. 358. See MASS . R EGS . C ODE tit. 247, § 9.00 (1999). Some of these provisions require that pharmacists always conduct their professional activities in compliance with all regulations of the Board of Registration in Pharmacy, as well as with municipal, state and federal law. See id. § 9.01(1). Pharmacists are also forbidden to dispense any substance, medication or device in a manner that will either directly or indirectly bypass or disregard the law. See id. § 9.01(2). Furthermore, they must observe current U.S. Pharmacopoeia standards and when on duty are responsible for all preservation, storage, and security of all drugs in the pharmacy. See id. §§ 9.01(3), (5). Pharmacists must also maintain separate prescription files for certain controlled substances, and these must be segregated from all other records in the pharmacy. See id. § 9.05. 359. See, e.g., MASS . GEN. LAWS ch. 13, § 22 (2000) (covering board of registration in pharmacy, membership, qualifications, appointment, and term); MASS. GEN. LAWS ch. 94C, § 21A (covering prescriptions, prospective drug review and counseling by pharmacists); MASS. GEN. LAWS ch. 112, § 24 (2000) (covering registration of pharmacists, examination, and fees); MASS. GEN. LAWS ch. 112, § 24A (2000) (covering records, expiration of registrations, renewals, reinstatement, and fees); MASS. GEN. LAWS ch. 112, § 61 (2000) (suspension, revocation or cancellation of certificate, registration, license or authority by boards, student loan defaulters, and review); and MASS. REGS. CODE tit. 247, § 9.05 (1999) (covering prescription file maintenance). 360. See MASS . R EGS . C ODE tit. 247, § 9.01(19) (defining the code of professional conduct for registered pharmacists, pharmacies, and pharmacy departments); see also id. § 9.07 (regarding the maintenance of patient records, conducting a prospective drug utilization review and patient counseling). 2001] WELD V. CVS PHARMACY, INC. 955 A pharmacist shall maintain patient confidentiality at all times. Confidential information shall include information maintained by the pharmacist in the patient’s records or information which is communicated to the patient as part of patient counseling, which is privileged and may be released only by the patient or to those practitioners and other pharmacists where, in the pharmacist’s professional judgment, such release is necessary to protect the patient’s health and well being; and to such other persons or governmental agencies authorized by law to receive such confidential information. 361 This regulation also protects the privacy of a person’s pharmacy records by prohibiting pharmacists from participating in any acts that are deceptive or fraudulent.362 Arguably, this language could include the disclosure or sale of the information in individual pharmacy records to a third party without the patient’s knowledge or consent as a deceptive act by the pharmacist or the pharmacy. Another regulation mandates that a patient’s pharmacy records be maintained in a confidential manner. 363 The purpose of this rule is to improve the public’s health and welfare by requiring pharmacists to offer their patients the opportunity to discuss any questions and concerns they may have about their prescriptions. 364 These consultations help to promote “optimum therapeutic outcomes, avoid patient injury and reduce medication errors.” 365 The legislature’s insistence that “[a] pharmacist or [the] pharmacist’s designee . . . maintain a confidential record for all patients for whom prescriptions are dispensed” only aids in promoting this regulation’s ultimate goal of enhancing public health and welfare.366 The pharmacist’s offer to counsel the patient should be made to them either in person or by telephone. 367 Id. § 9.01(19). See id. § 9.01(6). See id. § 9.07(1)(a). See id. § 9.07. Id. See MASS. REGS. CODE tit. 247, § 9.07(1)(a) (1999). This regulation also indicates the type of information that pharmacists should include in a patient’s record. See id. “The patient record system shall provide for the immediate retrieval of information necessary for the pharmacist to identify previously dispensed drugs at the time the prescription is presented for dispensing.” Id. The pharmacist and his assistant must also acquire, document, and maintain the patient’s “name, address, telephone number, date of birth or age, and gender of the patient for whom the prescription is intended.” Id. § 9.07(1)(a)(1). They must also record “individual history, . . . drug allergies and drug reactions; . . . a comprehensive list of medications and relevant devices dispensed by the pharmacy; and . . . the pharmacist’s comments relevant to the patient’s drug therapy.” Id. §§ 9.07(1)(a)(2), (3). 367. See id. § 9.07(3)(e). 361. 362. 363. 364. 365. 366. 956 NEW ENGLAND LAW REVIEW [Vol. 35:4 The regulation also specifies that the offer to counsel can be made to an individual acting on the patient’s behalf, but only if “confidentiality can be maintained.”368 B. Weld v. CVS Pharmacy, Inc. and the Laws Overseeing Pharmacists in Massachusetts These laws clearly demonstrate the legislature’s intent to protect the privacy and confidentiality of individual pharmacy records from inappropriate and unauthorized disclosure. It is also indisputable that Massachusetts law specifically recognizes that prescription records are confidential. However, the question in Weld is whether CVS breached a duty of confidentiality to its customers, not whether the CVS pharmacists breached this duty. Nonetheless, it is still quite likely that CVS violated the confidentiality and privacy of its customers. CVS expressly maintained in a brochure that it recognized a customer’s expectation of privacy and affirmatively represented to individuals reading the brochure that only the customer, their doctor, and the CVS pharmacist would have access to the customer’s prescription information maintained by the pharmacy.369 Accordingly, it can be argued that these express statements in the brochure created a duty of confidentiality owed by CVS to its customers. This duty was subsequently breached by CVS when it created mailing lists for drug manufacturers to better target particular markets by using the confidential prescription information in its databases. The regulation protecting pharmacist-patient confidentiality was most likely created by the legislature with the intent of protecting individual pharmacy records from unauthorized disclosure to third parties. 370 A broad interpretation of this regulation could make it applicable to Weld and fulfill this intention. Since pharmacists owe a duty of confidentiality to their patients, it seems only logical that this confidentiality can only be maintained successfully if the pharmacists’ employers also respect it. Likewise, when a large drugstore chain, such as CVS, employs pharmacists, the pharmacists alone cannot maintain prescription record privacy. It is critical that the pharmacists receive support from their superiors and the company itself in order to ensure that confidentiality is maintained. If pharmacists do not receive the necessary support, they will be faced with the choice of challenging management and company policies or leaving their job. These alternatives are obviously impractical for pharmacists to exercise regularly and that is why the regulation protecting pharmacist-patient 368. Id. 369. See Plaintiff’s Mem. Opp’n. Summ. J., supra note 209, at 25. 370. See supra notes 358–68 and accompanying text. 2001] WELD V. CVS PHARMACY, INC. 957 confidentiality should be extended to the pharmacists’ employers. In the instant case, this extension would require CVS to maintain the same level of privacy and confidentiality that its individual pharmacists are required to maintain by law. It is interesting to note that Massachusetts law also provides a code of professional conduct for veterinarians,371 requiring that they too maintain “a confidential relationship with . . . [their] clients . . . .”372 The fact that the legislature decided to protect the medical record privacy of animals would seem to indicate that protection of the privacy and confidentiality of all medical communications and records is taken very seriously by the Massachusetts Legislature. Accordingly, individual pharmacy records should also receive such protection. C. Other Rules Overseeing Pharmacists Pharmacists and physicians also have ethical obligations which supplement the legal protections given to medical records and information.373 All doctors must take the Hippocratic Oath, which requires that physician-patient communications remain confidential, and in section 5.05 of the Principles of Medical Ethics set out by the American Medical Association (AMA), physicians are also required to maintain patient confidences.374 The belief behind these principles is that the most effective treatment can only be provided when individuals feel that they can securely divulge their personal medical information to their doctor.375 A Code of Ethics has also been created by the American Pharmaceutical Association (APhA).376 The most relevant provisions indicate that a 371. 372. 373. 374. See MASS. REGS. CODE tit. 256, § 7.01 (1999). Id. § 7.01(15). See Mowery, supra note 17, at 717. See id. Section 5.05 of the AMA’s Principles of Medical Ethics states: The information disclosed to a physician during the course of the relationship between a physician and patient is confidential to the greatest possible degree . . . . The patient should be able to make this disclosure with the knowledge that the physician will respect the confidential nature of the communication. The physician should not reveal confidential communications or information without the express consent of the patient, unless required to do so by law. Adelman & Zahler, supra note 23, at 129, cited in Mowery, supra note 17, at 717 n. 191. 375. See Mowery, supra note 17, at 717. 376. American Pharmaceutical Association, Code of Ethics for Pharmacists (visited May 10, 2001) <http:// www.aphanet.org/APhA/about/about.html>. The American Pharmaceutical Association (APhA) is “the national professional society of pharmacists . . . and is the first and largest professional association of pharmacists in the United States.” Id. With more than 50,000 members, the APhA 958 NEW ENGLAND LAW REVIEW [Vol. 35:4 pharmacist’s duty is to help individual patients and to maintain their trust; pharmacists promote the patient’s welfare with compassion, caring, and their focus is on serving their patients in a confidential manner; pharmacists conduct their work in an honest manner and with integrity; and a pharmacist’s primary obligation is to his individual patients. 377 However, not all states impose the APhA’s code upon pharmacists by law as they do upon doctors with the AMA’s Principles of Medical Ethics. 378 Consequently, medical information that is protected when included in a physician’s record may not enjoy the same protection when it is part of a pharmacist’s record.379 Notably, neither the AMA nor the APhA’s ethical code protects medical information that “has been disclosed to a third party, such as a pharmaceutical company.”380 Another pharmacy association recently approved a set of privacy provisions applicable to third parties working with pharmacies and patients.381 These guidelines were created by the National Association of Boards of Pharmacy (NABP) in early 1999, with the goal of providing a model for states striving to assure that prescription records remain confidential.382 The driving concern prompting the creation of these measures was “that some third-party organizations – such as insurance carriers, pharmacy benefits management companies, and marketing firms – try to influence patients to switch their drug regimens [or attempt to guide individuals away from a particular course of therapy, purely for financial gain].”383 These guidelines are intended to secure the privacy of patient-identifiable information that is being managed by patient compliance and intervention programs in order to counteract this conduct.384 The NABP hopes to append the final version of these measures to the NABP Model State Pharmacy Act, which oversees the Boards of Pharmacy of each state.385 provides pharmacists with both professional information and education, while advocating comprehensive pharmaceutical care in order to improve th e American public’s health. See id. 377. See id. §§ I-II, IV, VII. 378. See Mowery, supra note 17, at 717-18. 379. See id. at 718. 380. Id. 381. See Porter, supra note 101, at 98. 382. See id. The NABP is comprised of pharmacy regulators from all over the United States. See id. 383. Id. at 98-100. 384. See id. at 100. These programs are defined by the NABP as those that contact patients to improve their use of prescription medication, advocate “appropriate monitoring and self-reporting of medication use; provide educational information about the patient’s disease state; and discuss and/or affect a patient’s therapy or choice of medication.” Id. 385. See id. at 100-02. 2001] WELD V. CVS PHARMACY, INC. 959 These various rules and provisions do encourage healthcare professionals to maintain the privacy and confidentiality of medical information, and the organizations that draft them hope they will be used by legislatures to create laws regarding professional codes of conduct.386 Nevertheless, these codes of conduct offer only suggested guidelines to legislatures, and do not offer any support to the plaintiffs’ arguments in Weld because they only impose ethical obligations and do not have the force of law in all states.387 D. Duties of Confidentiality in Other Professions The pharmacist-patient relationship is often considered a derivative of the doctor-patient relationship, since both pharmacists and physicians frequently work together for the patient’s benefit. 388 The doctor-patient relationship has traditionally been highly respected. 389 Its mandate of confidentiality is prescribed by the Hippocratic Oath, which states that “whatsoever I shall see or hear in the course of my profession . . . if it be what should not be published abroad, I will never divulge, holding such things to be holy secrets.” 390 Physician-patient confidentiality helps to enhance diagnosis and treatment and is passionately guarded by doctors. 391 This doctor-patient privilege encourages individuals to seek treatment knowing that their personal health information will remain private. 392 Over the past two decades, “courts have imposed liability on physicians who disclose confidential information about their patients based on a variety of legal theories.”393 These include contract law, where a promise is implied by the doctor not to disclose confidential information, breach of fiduciary duty, invasion of privacy, libel, and various state licensing 386. See supra notes 381-85 and accompanying text. 387. See supra notes 373-80 and accompanying text. 388. See Joanne C. Brant, Ethical Issues and Trouble Spots, 4 OHIO N.U. J. PHARMACY & L. 25, 28 (1995). 389. See Arnold, supra note 7, at 473. 390. Id. at 473 n.112 (citations omitted). 391. Id. at 473. 392. Id. The physician-patient privilege in Massachusetts derives from case law since the legislature has not enacted a privilege that would apply to physicians in the private sector. See Arzt, supra note 188, at 189; see also, e.g., Alberts v. Devine, 479 N.E.2d 113, 120 (Mass. 1985) (holding “that a duty of confiden tiality arises from the physician-patient relationship and that a violation of that duty, resulting in damages, gives rise to a cause of action sounding in tort against the physician”); Ryan v. Board of Registration in Medicine, 447 N.E.2d 662, 663 (Mass. 1983) (affirming a decision to censure a physician who disclosed a patient’s confidential medical information). 393. See Joanne C. Brant, supra note 388, at 29. 960 NEW ENGLAND LAW REVIEW [Vol. 35:4 laws.394 For similar reasons, many state legislatures have also provided for a psychotherapist-patient privilege, along with creating laws that protect the confidentiality of communications between licensed social workers and their clients as well as between psychologists and their clients.395 With regard to the confidentiality of the medical records maintained in a hospital, patients have a recognized interest in the information contained in the record, yet the hospital is still the owner of it. 396 However, the hospital is only considered a “custodian of the information” contained in the record and can be held liable if it improperly reveals the medical information of its patients without proper authorization. 397 Recovery is normally based on common law claims such as invasion of privacy, defamation, and breach of contract, but “recovery can be difficult because the patient must show injury in order to maintain a claim.” 398 Unless abuse or a public hazard is suspected, patients have the right to assume that all medical records maintained by a hospital with regard to the patient’s care will be treated as confidential.399 Healthcare information is often maintained not only by hospitals but also by third-party payors.400 Insurance companies may compile and share client information, but this is a qualified privilege only allowing insurance companies to trade the insured’s or applicant’s confidential information for the purposes of determining eligibility or claim remuneration. 401 Most of these informational practices by insurance companies are unregulated by the states.402 The information possessed by insurers is often supplied to pharmaceutical companies which receive it second-hand, and do not always use the information for the provision of healthcare services. 403 394. See id. 395. See supra notes 176-79 and accompanying text. 396. See W ILLIAM H. R OACH, J R., ET AL., MEDICAL R ECORDS AND THE LAW 61 (1985). 397. Arnold, supra note 7, at 471. Many hospitals follow the standards set by the Joint Commission on Accreditation of Hospitals (JCAH). See id. at 469. These standards do not have the force of law, but wield a great deal of power since many states accept JCAH accreditation as a basis for licensure and because hospitals accredited by JCAH also meet the requirements to participate in the federal Medicare program. See id. at 469-70. In addition to holding the hospital responsible for preventing the records from being used by unauthorized individuals, the JCAH standards illustrate the significance of ensuring that records are secure, confidential and authentic. See id. at 470. 398. Id. at 471. 399. See Cuzmanes & Orlando, supra note 70, at 27. 400. See Mowery, supra note 17, at 716. 401. See id. 402. See id. 403. See id. 2001] WELD V. CVS PHARMACY, INC. 961 However, state law does not obligate these types of secondary users to maintain any degree of confidentiality. 404 “Therefore, the development of data collectors in the private sector has occurred without regulation, statutory guidance, or a means by which to redress privacy violations.” 405 Without a duty of confidentiality between patients and drug companies, it is unlikely that a tort claim against a secondary user will be successful. 406 Consequently, the privacy concerns which ensue from the creation of “large commercial databases” by secondary users are insufficiently safeguarded by state laws.407 E. Pharmacist-Patient Privilege Many professions have used codes of conduct or legislative action to implement measures that protect the privacy of individuals using their services, however, the profession of pharmacy has not been given this indulgence.408 Attorneys, for example, are bound by a code requiring them to maintain client confidences unless the client consents to disclosure.409 Similarly, the records and communications that occur between a patient and a physician are often protected by statutes as well as case law.410 Nonetheless, pharmacists and patients are given no guarantees that their communications are protected, with the exception of the pharmacist’s Code of Ethics, which covers only pharmaceutical records.411 Pharmacists are now playing significantly larger roles in the medical treatment of patients, yet the legal status of this relationship has not evolved to reflect its changing character. 412 Furthermore, almost all efforts to keep pharmaceutical records out of evidence have failed because the courts have found that these records are not entitled to the same confidentiality protections as those maintained by doctors or the private communications of attorneys. 413 In light of such rulings, patients may be reluctant to reveal private information to their pharmacists and arguably pharmacists may have a moral, if not an ethical responsibility to notify 404. 405. 406. 407. 408. 409. 410. 411. 412. 413. See id. at 716. Id. at 716-17. See Mowery, supra note 17, at 717. Id. See Quick, supra note 279, at 160. See id. See id. at 160-61. See id. at 161. See Adelman & Zahler, supra note 23, at 139. See Quick, supra note 279, at 161 & n.85. 962 NEW ENGLAND LAW REVIEW [Vol. 35:4 their patients that the information in their records may become subject to examination by others.414 Many in the professions of law and pharmacy have indicated that communications between pharmacists and patients should be treated similarly to those between doctors and patients. 415 “The confidential nature of prescription records and other documents maintained by pharmacists warrants such an extension of the statutory physician-patient privilege to pharmacists.”416 At the very least, these records should be given common law or constitutional protection, if their disclosure causes an invasion of the patient’s right to privacy. 417 When pharmacists breach their duty of confidentiality, lawsuits are uncommon or settlement is usually reached in the early stages of the suit.418 Although some state statutes define “healthcare provider” as including pharmacists, this is usually insufficient to permit the pharmacist to invoke the doctor-patient privilege, and only a limited number of states will allow this in a court proceeding. 419 However, certain similarities in these relationships indicate that it may be appropriate for a pharmacist on certain occasions to defend himself with the same legal theories a physician might use.420 One such similarity is that both are protected from civil liability, when the disclosure or testimony by the doctor or pharmacist is required by a court order.421 Sometimes the doctor-patient privilege may be invoked to prevent production of documents.422 However, use of the privilege can be limited for a pharmacist or doctor since it actually belongs to the patient who may waive it at any time.423 Therefore, if the patient does not consent to the See id. at 161. See Adelman & Zahler, supra note 23, at 139. Id. See id. at 139-40. See Joanne C. Brant, supra note 388, at 29. See id. See id. See id. However, not all disclosures are protected from civil liability since it has been commonly held that “‘[t]here is an assumption that the physician patient privilege affects any use of the so-called confidential matter in a medical record.’ This assumption is incorrect. The rule prohibiting the disclosure of privileged medical communications is statutory and applies only with respect to disclosures in judicial or quasi-judicial proceedings.” Id. at 29-30 (citation omitted). Conversely, disclosure of information out of court may be unethical, but does not constitute a claim under the statutes governing privileged communications. See id. at 30. 422. See id. at 30. 423. See id. If the police were conducting an investigation, the usefulness of this privilege can be dramatically diminished. See id. For example, if law enforcement or state inspectors demand all prescription records dispensed by a pharmacy over a period of several months, the privilege is virtually ineffective. 414. 415. 416. 417. 418. 419. 420. 421. 2001] WELD V. CVS PHARMACY, INC. 963 invocation of the privilege neither the physician nor the pharmacist can claim it.424 Historically, the holdings have been varied with regard to recognition of a pharmacist-patient privilege,425 and many courts are reluctant to recognize it.426 However, concerted efforts must be made to create laws guaranteeing some level of confidentiality for a patient’s pharmaceutical records.427 Even if the information previously included in the patient’s prescription record is not protected, at a minimum the additional information sought for the patient’s profile, such as personal medical history, should receive legal privacy protections. 428 New legislation See id. Since it is almost impossible for the pharmacist to “locate and obtain the patient’s consent to invoke the privilege for each and every prescription dispensed during that time period, the pharmacist’s invocation of the privilege can be quickly overcome.” Id. This will usually lead to the pharmacist invoking the Fourth and Fifth Amendments’ right to privacy in defending against production. See id. Applying this defense to the pharmacists, however, has been exceedingly problematic. See id. 424. See Joanne C. Brant, supra note 388, at 30. 425. See Adelman & Zahler, supra note 23, at 146-47; see also Nelson v. Nederland Life Ins. Co., 81 N.W. 807 (Iowa 1900) (finding that the doctor-patient privilege forbids a physician to testify about a patient’s prescrip tion information); Deutschmann v. Third Ave. R.R. Co., 84 N.Y.S. 887, 894 (N.Y. App. Div. 1903) (holding that the physician-patient privilege “does not extend to a [pharmacist] who fills physician’s prescriptions”); Green v. Superior Court, 33 Cal. Rptr. 6 04, 607 (Cal. Dist. Ct. App. 1963) (holding that the statute establishing the physician patient privilege does not extend this privilege to communications between a pharmacist and a patient); Rudnick v. Superior Court, 523 P.2d 643, 649 -50 (Cal. 1974) (holding that a physician’s confidential disclosure “of communications protected by the physician-patient privilege to a third person to whom disclosure is reasonably necessary for the accomplishment of the purpose for which the physician is consulted confers upon the third person the right to claim the physician-patient privilege on behalf of the patient”); Evans v. Rite Aid Corp., 478 S.E.2d 846, 848 (S.C. 1996) (finding that “although the Code of Ethics of the American Pharmaceutical Association [provides for] a pharmacist’s duty of care, . . . it does not create . . . a statutory duty of confidentiality [for pharmacists]”); see also In re Miner’s Will, 133 N.Y.S. 2d 27, 28 (1954) (holding that “[c]ommunications to a [pharmacist] and prescriptions given him b y his customer are not confidential communications protected from disclosure”); State v. Mark, 597 P.2d 406, 408 (Wash. Ct. App. 1979) (holding that the physician-patient privilege does not protect prescription records from inspection by state auditors especially where no public disclosure will result). But see, e.g., CAL. EVID. C ODE § 912, cmt. (d) (2001) (stating that “the patient’s presentation of a physician’s prescription to a registered pharmacist would not constitute a waiver of the physician-patient privilege because such disclosure is reasonably necessary for the accomplishment of the purpose for which the physician is consulted”). 426. See Adelman & Zahler, supra note 23, at 127. 427. See Mowery, supra note 17, at 743 n.418. 428. See id. 964 NEW ENGLAND LAW REVIEW [Vol. 35:4 should also control the access of secondary users, such as drug manufacturing companies, to this sensitive and personal information.429 The personal nature of prescription records and other private information obtained and kept by pharmacists justifies the expansion of the physicianpatient privilege to include pharmacists.430 The Massachusetts regulations that currently exist are a step in the right direction by the legislature to actually recognize a pharmacist-patient privilege. These rules obligate pharmacists not to disclose confidential patient information, but they fail to regulate the access of third parties, such as pharmaceutical companies or pharmacy management, to this personal information. In light of the changing role of pharmacists today, more restrictive legislation is needed to protect the information revealed by individuals to their pharmacists in a similar fashion to that disclosed to physicians. If such confidentiality requirements are not implemented and the existing regulations are not better enforced, it is the patients who will suffer. They will hesitate to reveal vital medical information to their pharmacists in an effort to avoid unwanted disclosure, and the price they will pay for privacy is the possibility of inadequate treatment. VI. CONCLUSION The privacy advocates feel that the type of privacy invasion resulting from CVS’s patient compliance program, which was implemented to remind CVS customers to renew their prescriptions, is a precise example of what is wrong with the current state of medical record privacy law. 431 This point is further supported by polls which revealed that next to the government, individuals are most disturbed by the idea of their medical information being accessed by large private companies. 432 Nonetheless, there are some benefits to be gained from the use of this information by third parties, such as CVS which profits each time customers’ prescriptions are refilled.433 However, if patients fail to take their prescribed medication, then detrimental consequences may result.434 From a public health standpoint, it may actually be more beneficial to require companies “like CVS to prohibit their marketing partners from making secondary use of prescription data than to prohibit CVS from reminding their customers to renew prescribed medication.”435 Furthermore, it makes sense for CVS 429. 430. 431. 432. 433. 434. 435. See See See See See See Id. id. at 742. Adelman & Zahler, supra note 23, at 139. Rubinstein, supra note 36, at 229. id. id. id. 2001] WELD V. CVS PHARMACY, INC. 965 and other pharmacies to make use of consent forms which can be easily distributed to customers when they fill their prescriptions. 436 These forms would provide customers with the control they desire over the disclosure of their personal prescription information. The customer and not the pharmacy would make the choice to disclose or not disclose individual prescription information to third parties interested in using it for marketing purposes. If this practice were routinely implemented, pharmacy customers would be much less likely to feel that their privacy has been invaded when they receive promotional materials from a drug manufacturer. Compromise between data users and privacy advocates is critical to achieving a workable scheme of legislation that will not only protect individuals but also aid researchers in obtaining the data they require to make accurate findings. It is important to remember “that both the individual and the community have interests,” which must be carefully balanced to provide security to each.437 When drafting a law that will balance the interests of privacy advocates and data users, the Massachusetts Legislature may want to carefully consider the Confidentiality of Health Care Communications and Information Act 438 that has been enacted in Rhode Island. The statute was created with the intention of safeguarding and maintaining the integrity of individual healthcare information,439 and it appears to accomplish this goal by requiring a patient’s written consent whenever their confidential healthcare information is released with some important exceptions.440 These statutory exceptions exist to protect the community by permitting disclosure of medical information to various researchers, government agencies, and medical professionals when appropriate. The exceptions are a critical part of this Act because without them these parties would only be able to access individual medical data by obtaining written permission from every subject whose information was to be disclosed. If such a practice persisted, public health would surely suffer. Equally important, is the statute’s attention to the disclosure of personal medical data to private organizations. It requires that “[t]hird parties receiving and retaining a patient’s confidential [healthcare] information[, such as CVS,] . . . establish” certain minimum security procedures to ensure that the confidentiality of these records is maintained. 441 Therefore, were this statute applicable to Weld, CVS would be in violation of it unless CVS See supra notes 228-31 and accompanying text. Rubinstein, supra note 36, at 230. See supra note 199 (describing the details of the Act). See R.I. GEN. LAWS § 5-37.3-2 (2000). See supra note 199 (describing these exceptions and the penalties for violation of the Act). 441. See R.I. GEN. LAWS § 5-37.3-4(c) (2000). 436. 437. 438. 439. 440. 966 NEW ENGLAND LAW REVIEW [Vol. 35:4 obtained written waivers from the customers included on the targeted mailing list, prior to giving it to the drug manufacturer. This Act appears to admirably balance the concerns of researchers and other data users with those of private individuals. It allows for legitimate scientific study of medical data without individual authorization, yet prohibits third parties, someone other than the patient, their pharmacist, or their physician, from disclosing these private facts without obtaining written consent from the individual whose information is to be revealed. Massachusetts presently has a myriad of legislation which provides valuable privacy protection to medical records. However, these laws do not offer the specific protections needed to prevent unauthorized disclosure to various parties in the private sector. Accordingly, Massachusetts should strive to achieve the type of balance with its medical record privacy laws that has been demonstrated by the Rhode Island Legislature. Sharon R. Schawbel