Clash of Prescription Drug Monitoring & Patients’ Privacy

Oregon's Prescription Drug Monitoring Program (PDMP), which creates a statewide database of patients taking controlled substance prescription drugs, is about to go live. As you can imagine, the mere notion of a centralized database is causing head butting between public health advocates and privacy advocates.

The pro-PDMP side claims that the program is necessary to promote public health and welfare and help improve patient care since pain is often undertreated. The information will aid health care providers and pharmacists to better manage patients' prescriptions and allow the providers to better determine if a patient is really suffering from chronic pain as opposed to an addiction. The Oregon Senate Bill 355 established the PDMP in July 2009 and it is supposed to be operational by September 1, 2011 for access by pharmacists and health care providers.

PDMP collects data on Schedules II, III and IV controlled substances. For a list of these medications and more information, you can go to http://www.deadiversion.usdoj.gov/schedules/. The database will include: the patient's name, address, and date of birth, pharmacy and prescriber information, and specific prescription information including the drug name and dosage, when it was prescribed, and when it was dispensed.

On the opposing side, the ACLU representative on the program pointed out the fact that data breaches are happening so frequently and there was a breach of a similar program in Virginia, already. The concerns raised included both the risk of authorized but inappropriate use of the information as well as a breach of the database. These are both very serious issues with social, reputational, and medical implications. We know very well that no electronic system is immune to malicious attacks.

Given the unscientific polling that I did among some friends and colleagues, there's little public awareness of this program. As with most privacy-related issues, there's a balancing act between the public good and potential harm. The program can help those dealing with chronic pain issues but a very wide net is being cast that will include most of us at some point and if the information is breached or misused, it can cause damage to the very same people that it is supposed to help. I hope that the program is following the HIPAA-HITECH privacy and security standards as a floor and do much more to protect this highly sensitive PHI data set.