About Us  |  About Cheetah®  |  Contact Us

State workers fail (again) in privacy challenge to search of their drug records in state database

By Lisa Milam-Perez, J.D.

Two state employees whose prescription drug records were accessed by a detective while investigating the theft of opioids from city ambulances were unable to revive their Fourth Amendment or Fair Credit Reporting Act claims against the detective or the municipality. The Tenth Circuit affirmed the lower courts’ conclusions that the defendants were entitled to qualified immunity on the constitutional claims, and that an exception to the FCRA applied here. The two cases that were combined here had drawn the ACLUs’ attention in light of the considerable privacy issues at stake; the national organization and six state chapters weighed in with amicus briefs (Pyle v. Woods, November 1, 2017, Murphy, M.).

Drug database search. The Utah Controlled Substance Database was created in 1995 pursuant to the Utah Controlled Substance Database Act. Administered by the Utah Department of Occupational and Professional Licensing (DOPL), it contains data on every prescription for a controlled substance dispensed in the state (with exceptions inapplicable here), and, during the period in question, the Database Act allowed local law enforcement within the state to access the database without a search warrant.

When opioids and sedatives went missing from several of its ambulances, the Utah Fire Authority (UFA) reported the thefts and the defendant detective launched an investigation. To that end, the city’s police chief gave the detective a list of 480 UFA employees with access to the ambulances. Looking for suspects, and acting in reliance on the Database Act, the detective conducted a warrantless search of the employees’ names against the state database. Based on his findings, the detective grew suspicious of the two plaintiffs, although they were never prosecuted for the thefts. Still, they both filed suit under Section 1983 against the detective, the city, and the mayor (not at issue on appeal) alleging the defendants violated their Fourth Amendment rights as well as the FCRA. Both suits were dismissed, both dismissals were appealed, both to no avail.

Qualified immunity. The district courts had properly granted qualified immunity to the detective, as the law on the constitutionality of a warrantless search was not clearly established. The Tenth Circuit has never addressed head-on whether a warrantless search by law enforcement of a patient’s prescription drug records in a state database violates the Fourth Amendment. The plaintiffs urged that a “case directly on point” isn’t necessary, contending it was enough that “(1) individuals have a constitutionally protected privacy right in their prescription drug records; and (2) warrantless searches violate the Fourth Amendment absent an exception.”

However, it wasn’t so clear-cut as this. The Tenth Circuit has held that “the right to privacy in prescription drug records is not absolute; consequently, courts must consider the scope of the protected property right to resolve the issue. At the time the detective in this instance accessed the database, no court had undertaken such an inquiry; no court had found a warrantless search of this sort was unconstitutional. The issue was not beyond debate, and the detective had not acted contrary to clearly established law. Quality immunity had attached.

Municipal liability. A procedural slip-up had stymied one plaintiff’s attempt to hold the municipality liable for the alleged violation of his constitutional rights. Namely, the plaintiff failed to promptly notify the state attorney general of his challenge to the constitutionality of the Database Act, a prerequisite to suit. The plaintiff argued he didn’t have to satisfy this requirement because he wasn’t challenging the statute itself, but merely the actions of the defendants. The court below had rightly rejected this argument. The detective was acted in reliance on the statute when he undertook the actions being challenged by the plaintiff. “[I]f his actions are unconstitutional then the Database Act, which permitted him to do so, is also unconstitutional,” the appeals court explained. As such, the plaintiff was to have notified the attorney general before filing suit.

The other plaintiff’s claim for municipal liability failed on the merits, as the court found he did not allege either a municipal policy or custom at play here, or a link between that policy or custom and his alleged injury. He did plead it was the city’s policy to inquiry into employees’ prescription drug records without a warrant, but this was too “formulaic” a recitation of the elements of his claim to satisfy Twombly standards. Because he failed to allege sufficient facts to support an inference that the detective was following a policy or custom when he accessed his information in the database, there could be no plausible inference that a municipal policy directly caused the injuries he allegedly suffered.

FCRA claims. Assuming without deciding that the DOPL is a consumer reporting agency, and that the information in the drug database is a consumer report, the district court nonetheless dismissed the plaintiffs’ FCRA claims, concluding that the FCRA’s 15 U.S.C. § 1681a(y) exception applied because the challenged communications were made pursuant to an investigation of suspected misconduct relating to employment. The plaintiffs argued the exception did not apply—that this provision should be construed as requiring a preexisting suspicion of a particular individual, which was not the case here. But there was no support for this contention in the statute itself or in the case law interpreting it. The plaintiffs decried what they deemed a “fishing expedition” but in this case, the detective had narrowed his database search to those employees with access to the ambulances from which the drugs were stolen. Therefore, the appeals court found no reversible error.