The DEA says that, much like emails sent through someone else's server, once medical records are given to a pharmacy, or any third party, a citizen should have "no expectation of privacy" for that data.
The ACLU is representing a physician and four patients in Oregon whose prescription records are stored in a state database used to assist doctors in preventing drug abuse. The DEA has been requesting information from this database through subpoenas rather than a probable cause warrant as a state law requires.
According to the ACLU, all four patients have prescriptions that would detail sensitive personal information about them, including gender identity, HIV status, mental illness and more.
"The information we share with our doctors ... constitutes some of the most deeply private and sensitive information about us," said ACLU attorney Nathan Wessler. "Just because we trust our doctors and pharmacists with our medical information doesn't mean the DEA should be able to easily access it too."
But the DEA argued that a patient releasing prescription medical records to a pharmacy was essentially the same as a homeowner releasing power usage data to a power company, which a US appellate court recently found does not require a warrant.
The ACLU called this comparison "absurd."
Though the DEA is leaning on the increasingly thorny third-party doctrine, Wessler notes that a patient releasing sensitive medical data to a pharmacist or other medical professional isn't "voluntary" in any meaningful sense.