Walgreens is being sued by customers who are not happy that their prescription information – even though it has been de-identified – is being sold by Walgreens to data-mining companies.

The data privacy and security concerns surrounding the transfer of de-identified data are significant.  To “de-identify” what is otherwise protected health information under HIPAA, some outfits will simply strip data of 18 types of identifiers listed in federal regulations.  However, the relevant regulation (45 CFR 164.514(b)(2)(ii)) also provides that this only works if “the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.” Thus, the problem with this approach is that, these days, nobody can disclaim knowledge of the fact that information de-identified by removing this cookbook list of 18 identifiers may be re-identified by cross-matching data with other publicly-available data sources. There are a number of reported instances of this sort of thing happening. The bottom line is that our collective technical prowess has outstripped the regulatory safe harbor.

Is this the basis of the lawsuit brought against Walgreens?  An objection to trafficking in health information that should remain private?  No.  The plaintiff group of customers is suing to share in the profits realized by Walgreens from trading in the de-identified data.

While I haven’t pored over the papers filed in this case, my guess is that there’s enough legal boilerplate in the Walgreens HIPAA notice of privacy practices given out and signed for up front by patients who fill prescriptions so that they do not have a claim worth much more than nuisance value.

This case reminds me of the landmark case of Moore v. Regents of the University of California, decided about twenty years back, where a leukemia patient wanted to share in the profits from a line of cells grown from cells harvested from his body by researchers who told him that his return hospital visits were for checkups and monitoring only.  He lost.

The specific governing rules in play are different, but I don’t see how the ultimate result would be much different this time around, especially since the Walgreens plaintiffs were probably given more information about how their goods might be used (in the notice of privacy practices) than Moore ever was.

Nobody asked me, but I would think that a more productive line of inquiry would lie with figuring out whether the data that is being sold – patient gender, state and age group; name of drug prescribed; and ID number of prescribing physician – could be combined with other data available out there to the folks buying these data from Walgreens and used to re-identify patient records.  Given the slightly-differently-de-identified insurance company records that are out there, and the profit motive of the data-mining companies, I would not be surprised if at least some of these de-identified records were easily re-identified, thus exposing Walgreens to liability for HIPAA violations.  The data-mining companies are almost certainly re-identifying the physicians, since that’s where the value in this whole exercise lies: targeted marketing to physicians based on their prescribing patterns.  (Regarding re-identification of patient information, consider the case of the Netflix prize, where de-identified video rental data could be re-identified by cross-matching with online consumer movie reviews – “Simply removing names does not ensure that data will remain anonymous. And the implications stretch far beyond the world of Netflix.”)   Of course, HIPAA violations just yield a fine, payable to the government (and we know how useful HIPAA CMPs can be in ensuring compliance) – there is no third-party liability under HIPAA – so it would be a stretch to translate them into a plaintiffs’ verdict involving cash.

David Harlow writes at HealthBlawg, a nationally-recognized health care law and policy blog. He is an attorney and lectures extensively on health law topics to attorneys and to health care providers. Prior to entering private practice, he served as Deputy General Counsel of the Massachusetts Department of Public Health.

11 Responses for “Who Owns Patient Data?”

  1. Hi David, you should probably read the briefs, or my post below :-). This is not at all like the leukemia patient case. I may be overly optimistic, but I think they have a little bit of a chance to prevail, and at the very least pioneer a new way to look at this issue.

  2. DeterminedMD says:

    Again, it is not about the money, but stopping the intrusion into patient-physician treatment decisions that are not about profit but improving health. Doubt any of the pharmaceutical efforts are interested in care decisions first, but sales and profit margins as the prime focus for trolling for this information.

    Hey, if you want to know what I write for, here’s an idea, come to my office and ASK ME! Maybe I won’t tell you, but isn’t that my right, my choice, and my request for whatever anonymity I can have as a provider?

    The rude and insensitive reply is, “not if I can profit from your choices, irregardless if it benefits anyone else besides me and my company!!!”

  3. Privacy Fiend says:

    Unfortunately, the basic (and false) premise that a de-identified data set was produced is not valid (According to HIPAA anyway).

    The 18th identifier to be removed is “Any other unique identifying
    number, characteristic, or code, except as permitted by paragraph (c) of this

    I am certain that Walgreens did not remove all the quasi-identifiers present in their data and thus did not produce a HIPAA-compliant data set

  4. David Harlow says:

    @Margalit – It seems to me that the passage of specific laws on the issue in Maine, New Hampshire and Vermont fuel the notion that without specific legislation the pharmacies are free to do what they’re doing. The relevance of the Moore case is that his claim was: My cells, my $$, and the court said: Since the docs and medical center did something to the cells to make them saleable, they owned the value created there. Similarly, a single prescription record is valuable only to the individual patient, but the aggregated, de-identified (or not …) database, created by Walgreens in this case with its hardware/software, has value to others. Since the plaintiffs are not making the privacy argument, but the “pay us for the commercial value of our data” argument, the claim seems to me to fall flat. The fact that this is brought as a class action highlights my point: No individual plaintiff has a claim worth bringing. What is the value of a single prescription record? Not bloody much. The lead plaintiff and the plaintiffs’ attorney could make some money if the case were successful, but each member of the class would stand to win bupkes.

    @DeterminedMD – Please note that the patients in this case are not seeking to preserve the sanctity of the physician-patient relationship, they are simply seeking to share in the value of the aggregated data.

    @Privacy Fiend – As noted in the post, I agree with you that the data was arguably not de-identified, and that in fact it may not be possible to de-identify data and still make it useful in this context.

  5. David,
    I do agree that the value of each prescription is minimal, but it is not zero. A batch of 1 million scripts is significantly more valuable than a batch of say, 50,000 scripts. Therefore the value of each script can be assessed.
    I don’t think the plaintiff or the attorneys are expecting a windfall here, and if you look at the history of cases this particular firm brought in the past, you will see that they are on some sort of mission here.
    One empty soda can is worthless. A truck full of soda cans has financial value. This does not give the truck driver license to raid my kitchen and take my soda cans unless I explicitly give him permission to do so.
    There are HIT companies out there that make users sign “terms of use” agreements where the user is assigning all commercial value of the data to the technology company. Why would that be necessary if there is no value in individual data?
    And by the way, the plaintiff is asserting that their doctor-patient relationship was damaged due to the defendant actions. It was one of the “harms” enumerated to support unjust enrichment.

  6. Gary Lampman says:

    Regardless of how the industry uses or abuses patient records for profit. The aggregate use for profit collection seems unethical and a betrayal of the Patients trust. However, who says this industry has scrupples or ethics either.
    Data Mining is for profit only and has No Medical Value. Clearly, it is a shameful act of secondary profitteering . Surely companies can not bitich about pirating when they,themselves are complicit in the same act. I don’t care how you package crap,tie it in a bow and market it . Its still crap!
    Records are the personal property of the patient as they pay for the service.They also pay for the records that unique to them alone. These records should not be used for profiteering.
    The more anyone anaylizes this industry we find cracks in the ethical use of records, exploitation of symptom based practices to target the bankruptcy of patients, and the extension of treatments and tests to maximize. Truth be known ; Cures are only advertised for sympathy of the Consumer. However, there is NO MONEY IN CURES!!!!! So the practice is designed to pass patients onto a maze of needless test, treatments,and pharma that gives the presense of doing something. Really, the art of Medical Science has become a commercial sale and dispassionate suiters of patients.

    • Doug D says:

      Gary Lampman wrote: “Records are the personal property of the patient as they pay for the service.They also pay for the records that unique to them alone. These records should not be used for profiteering.”

      In your arguments, let’s replace the word “patient” with “customer.”

      And then replace “Walgreens” with “Amazon.”

      Does the argument still work ? Can we make a compelling case that, in the absence of some explicit “fair use” binding agreement between a business and its customers, Amazon (or Home Depot or American Express etc) can’t profit further by internally slicing and dicing their customer transaction data for cross-selling opportunities, or can’t sell that data (suitably anonymized) to other entities who believe that data has value for some different commercial purpose/s ?

      I’m not a lawyer, but I think that’s a really tough argument to make.

      (Whether or not data is SUFFICIENTLY sanitized is a different issue.)

    • Doug Laney says:

      Gary, You’re way off. When you agree to do business with an entity, any entity, the transaction data is *theirs* (as Doug D smartly points out). Yes, HIPAA regulations specify what a healthcare provider or transmitter can do with the personal health info (PHI), and how they must secure it. None of this jives with your rant. Also, you might consider that companies profiting from our aggregate/privatized PHI are in a better position to invest in innovation, thereby servicing us better and improving our health. Therefore, I would like to insist/encourage that my PHI is mined, otherwise the data is just stagnant and useless to me and everyone else.

  7. Ketan Patel says:

    Next lawsuit for HIPAA violation: http://www.practicefusion.com

  8. I am one of 3 primary care physicians in a in ndependent primary care practice that has transitioned completely to EHR. I have been in practice for 33 years as an independent practicioner.. “Back-up” now takes approximately 3.5 hours during which time access to patient care records is denied. Aside from the liability issue this presents, access to critical care information is essential. What solutions are economically feasible for a small independant practice?….Rich

  9. Doug Laney says:

    David, I’d like to see the actual answer to the question you pose in the title of your piece.

Leave a Reply


Founder & Publisher

Executive Editor

Editor, Business of Healthcare

Contributing Editor

Contributing Editor

Business Development

Editor-At-Large, Wellness

Editor-At-Large, Europe



The Health Care Blog (THCB) is based in San Francisco. We were founded in 2003 by Matthew Holt. John Irvine joined a year later and now runs the site.


Interview Requests + Bookings. We like to talk. E-mail us.

Yes. We're looking for bloggers. Send us your posts.

Breaking health care story? Drop us an e-mail.


We frequently accept crossposts from smaller blogs and major U.S. and International publications. You'll need syndication rights. Email a link to your submission.


Op-eds. Crossposts. Columns. Great ideas for improving the health care system. Pitches for healthcare-focused startups and business.Write ups of original research. Reviews of new healthcare products and startups. Data-driven analysis of health care trends. Policy proposals. E-mail us a copy of your piece in the body of your email or as a Google Doc. No phone calls please!


Healthcare focused e-books and videos for distribution via THCB and other channels like Amazon and Smashwords. Want to get involved? Send us a note telling us what you have in mind. Proposals should be no more than one page in length.

If you've healthcare professional or consumer and have had a recent experience with the U.S. health care system, either for good or bad, that you want the world to know about, tell us about it. Have a good health care story you think we should know about? Send story ideas and tips to editor@thehealthcareblog.com.

REPRINTS Questions on reprints, permissions and syndication to ad_sales@thehealthcareblog.com.



Affordable Care Act
Business of Health Care
National health policy
Life on the front lines
Practice management
Hospital managment
Health plans
Specialty practice
Emergency Medicine
Quality, Costs
Medical education
Med School
Public Health

Electronic medical records
Accountable care organizations
Meaningful use
Online Communities
Open Source
Social media
Tips and Tricks


Health 2.0
Log in - Powered by WordPress.