Prescription drug monitoring programs (PDMPs) operated by states collect data on every controlled substance that has been prescribed to you, including the date, dose, quantity, refills, dispensing pharmacy, and prescriber name.¹ With simple password access, these sensitive databases can be viewed by law enforcement, regulatory compliance boards, pharmacists, and prescribers. Many states require doctors to query the database when they first prescribe a controlled substance to a patient.

The earliest PDMPs were launched as law enforcement tools and also to identify drug abusers needing prevention and treatment. These days, PDMP databases are deeply integrated into health information exchanges, electronic health records, and pharmacy dispensing systems.²

Interestingly, researchers have found “limited evidence” that PDMP use has reduced opioid-related consequences.³ And some have suggested that PDMPs might lead physicians to refuse to prescribe pain meds to chronic pain sufferers in need, in order to avoid scrutiny.⁴

“PDMPs are predominantly law enforcement investigative tools dressed up in public-health-promoting rhetoric…that surreptitiously collect a stunning amount of sensitive health information.”

— Duke Law Journal

Another big concern is the fact that these sensitive databases can be misused by bad actors. A Duke Law Journal article concluded that “PDMPs are…investigative tools dressed up in public-health-promoting rhetoric [that] surreptitiously collect a stunning amount of sensitive health information.”⁵

The DEA often conducts warrantless searches of patient prescription histories, and many states are litigating to stop this practice on constitutional grounds.

This isn’t the only privacy concern. While they’re not supposed to do this, for the most part, everybody with PDMP account credentials can look up anyone‘s personal prescription history, even if this person is not a current patient or customer. This “scout’s honor” database access means that prescribers can all too easily invade the privacy of individuals that are not patients. Their staff members can even sign in to PDMPs using their employer’s credentials, to look up friends, family members, and even public figures. And password sharing for PDMP access is another serious privacy concern. All of this is scary and ridiculous.

In 30 states, patients have the right to view their own PDMP record.⁶ Sadly, this right is not explained to patients when a controlled substance prescription is written or dispensed.

Almost nobody knows this, but PDMPs log every individual record search — which means they can generate audit reports identifying who had accessed your personal prescription history and when.

This means that patients should be able to request their own audit reports to see who might have “looked them up.”

But after doing research, I wasn’t able to determine which states allow individuals to request their own audit reports.

Even if you’re in a state that allows you to request your own report, it’s difficult to figure out which government agency to request it from. For example, in California you have email the Department of Justice and obtain a request form that isn’t available on the DOJ’s website^.7 Ironically, depending on the state, these request forms may require a notary public certification that you are really you.

Prescription drug monitoring programs must be reformed to improve patient privacy and the accuracy of the databases. First, just like one can obtain one’s credit report today, all states must allow patients to view their own records to check for accuracy.

Along with this, states must make it easy for individuals to request their own audit reports showing who has viewed their private prescription records. Also, when patients receive a controlled substance prescription, they must be given instructions about how they can get these records. Finally, patients must be informed every time a prescriber reviews their private prescription records.

Finally, states must enable two-factor authentication and other means to stamp out illicit password sharing and ensure that only authorized personnel are able to access PDMPs.

If you agree, please contact your state’s attorney general, and re-post this piece on your social media accounts.

Nothing in this article should be relied on for medical or legal advice.

Footnotes

¹ Prescription Drug Monitoring Program, Training and Technical Assistance Center (link)

² ibid (link)

³ ibid (link)

⁴ Sullum, Jacob. State Regulators Punish Doctor for Cutting a Pain Patient’s Opioid Dose and Dropping Him After He Became Suicidal. Reason, July 10, 2019 (link)

⁵ Oliva, Jennifer D. Prescription-drug policing: The right to health-information privacy pre- and post-Carpenter. Duke Law Journal, January 2020 (link)

⁶ American College of Emergency Physicians – PDMP Legislation (link)

⁷ California Office of the Attorney General, CURES FAQs (link)

Copyright © 2025 by Monica Berlin