NEW @ THCB PRESS: Surviving Workplace Wellness. Spring 2014. Al Lewis and Vik Khanna. e-book edition. # LIGHTHOUSE Healthcare. Illuminated.

Walgreens is being sued by customers who are not happy that their prescription information – even though it has been de-identified – is being sold by Walgreens to data-mining companies.

The data privacy and security concerns surrounding the transfer of de-identified data are significant.  To “de-identify” what is otherwise protected health information under HIPAA, some outfits will simply strip data of 18 types of identifiers listed in federal regulations.  However, the relevant regulation (45 CFR 164.514(b)(2)(ii)) also provides that this only works if “the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.” Thus, the problem with this approach is that, these days, nobody can disclaim knowledge of the fact that information de-identified by removing this cookbook list of 18 identifiers may be re-identified by cross-matching data with other publicly-available data sources. There are a number of reported instances of this sort of thing happening. The bottom line is that our collective technical prowess has outstripped the regulatory safe harbor.

Is this the basis of the lawsuit brought against Walgreens?  An objection to trafficking in health information that should remain private?  No.  The plaintiff group of customers is suing to share in the profits realized by Walgreens from trading in the de-identified data.

While I haven’t pored over the papers filed in this case, my guess is that there’s enough legal boilerplate in the Walgreens HIPAA notice of privacy practices given out and signed for up front by patients who fill prescriptions so that they do not have a claim worth much more than nuisance value.

This case reminds me of the landmark case of Moore v. Regents of the University of California, decided about twenty years back, where a leukemia patient wanted to share in the profits from a line of cells grown from cells harvested from his body by researchers who told him that his return hospital visits were for checkups and monitoring only.  He lost.

The specific governing rules in play are different, but I don’t see how the ultimate result would be much different this time around, especially since the Walgreens plaintiffs were probably given more information about how their goods might be used (in the notice of privacy practices) than Moore ever was.

Nobody asked me, but I would think that a more productive line of inquiry would lie with figuring out whether the data that is being sold – patient gender, state and age group; name of drug prescribed; and ID number of prescribing physician – could be combined with other data available out there to the folks buying these data from Walgreens and used to re-identify patient records.  Given the slightly-differently-de-identified insurance company records that are out there, and the profit motive of the data-mining companies, I would not be surprised if at least some of these de-identified records were easily re-identified, thus exposing Walgreens to liability for HIPAA violations.  The data-mining companies are almost certainly re-identifying the physicians, since that’s where the value in this whole exercise lies: targeted marketing to physicians based on their prescribing patterns.  (Regarding re-identification of patient information, consider the case of the Netflix prize, where de-identified video rental data could be re-identified by cross-matching with online consumer movie reviews – “Simply removing names does not ensure that data will remain anonymous. And the implications stretch far beyond the world of Netflix.”)   Of course, HIPAA violations just yield a fine, payable to the government (and we know how useful HIPAA CMPs can be in ensuring compliance) – there is no third-party liability under HIPAA – so it would be a stretch to translate them into a plaintiffs’ verdict involving cash.

David Harlow writes at HealthBlawg, a nationally-recognized health care law and policy blog. He is an attorney and lectures extensively on health law topics to attorneys and to health care providers. Prior to entering private practice, he served as Deputy General Counsel of the Massachusetts Department of Public Health.

Share on Twitter

11 Responses for “Who Owns Patient Data?”

  1. Hi David, you should probably read the briefs, or my post below :-). This is not at all like the leukemia patient case. I may be overly optimistic, but I think they have a little bit of a chance to prevail, and at the very least pioneer a new way to look at this issue.

  2. DeterminedMD says:

    Again, it is not about the money, but stopping the intrusion into patient-physician treatment decisions that are not about profit but improving health. Doubt any of the pharmaceutical efforts are interested in care decisions first, but sales and profit margins as the prime focus for trolling for this information.

    Hey, if you want to know what I write for, here’s an idea, come to my office and ASK ME! Maybe I won’t tell you, but isn’t that my right, my choice, and my request for whatever anonymity I can have as a provider?

    The rude and insensitive reply is, “not if I can profit from your choices, irregardless if it benefits anyone else besides me and my company!!!”

  3. Privacy Fiend says:

    Unfortunately, the basic (and false) premise that a de-identified data set was produced is not valid (According to HIPAA anyway).

    The 18th identifier to be removed is “Any other unique identifying
    number, characteristic, or code, except as permitted by paragraph (c) of this
    section;”

    I am certain that Walgreens did not remove all the quasi-identifiers present in their data and thus did not produce a HIPAA-compliant data set

  4. David Harlow says:

    @Margalit – It seems to me that the passage of specific laws on the issue in Maine, New Hampshire and Vermont fuel the notion that without specific legislation the pharmacies are free to do what they’re doing. The relevance of the Moore case is that his claim was: My cells, my $$, and the court said: Since the docs and medical center did something to the cells to make them saleable, they owned the value created there. Similarly, a single prescription record is valuable only to the individual patient, but the aggregated, de-identified (or not …) database, created by Walgreens in this case with its hardware/software, has value to others. Since the plaintiffs are not making the privacy argument, but the “pay us for the commercial value of our data” argument, the claim seems to me to fall flat. The fact that this is brought as a class action highlights my point: No individual plaintiff has a claim worth bringing. What is the value of a single prescription record? Not bloody much. The lead plaintiff and the plaintiffs’ attorney could make some money if the case were successful, but each member of the class would stand to win bupkes.

    @DeterminedMD – Please note that the patients in this case are not seeking to preserve the sanctity of the physician-patient relationship, they are simply seeking to share in the value of the aggregated data.

    @Privacy Fiend – As noted in the post, I agree with you that the data was arguably not de-identified, and that in fact it may not be possible to de-identify data and still make it useful in this context.

  5. David,
    I do agree that the value of each prescription is minimal, but it is not zero. A batch of 1 million scripts is significantly more valuable than a batch of say, 50,000 scripts. Therefore the value of each script can be assessed.
    I don’t think the plaintiff or the attorneys are expecting a windfall here, and if you look at the history of cases this particular firm brought in the past, you will see that they are on some sort of mission here.
    One empty soda can is worthless. A truck full of soda cans has financial value. This does not give the truck driver license to raid my kitchen and take my soda cans unless I explicitly give him permission to do so.
    There are HIT companies out there that make users sign “terms of use” agreements where the user is assigning all commercial value of the data to the technology company. Why would that be necessary if there is no value in individual data?
    And by the way, the plaintiff is asserting that their doctor-patient relationship was damaged due to the defendant actions. It was one of the “harms” enumerated to support unjust enrichment.

  6. Gary Lampman says:

    Regardless of how the industry uses or abuses patient records for profit. The aggregate use for profit collection seems unethical and a betrayal of the Patients trust. However, who says this industry has scrupples or ethics either.
    Data Mining is for profit only and has No Medical Value. Clearly, it is a shameful act of secondary profitteering . Surely companies can not bitich about pirating when they,themselves are complicit in the same act. I don’t care how you package crap,tie it in a bow and market it . Its still crap!
    Records are the personal property of the patient as they pay for the service.They also pay for the records that unique to them alone. These records should not be used for profiteering.
    The more anyone anaylizes this industry we find cracks in the ethical use of records, exploitation of symptom based practices to target the bankruptcy of patients, and the extension of treatments and tests to maximize. Truth be known ; Cures are only advertised for sympathy of the Consumer. However, there is NO MONEY IN CURES!!!!! So the practice is designed to pass patients onto a maze of needless test, treatments,and pharma that gives the presense of doing something. Really, the art of Medical Science has become a commercial sale and dispassionate suiters of patients.

    • Doug D says:

      Gary Lampman wrote: “Records are the personal property of the patient as they pay for the service.They also pay for the records that unique to them alone. These records should not be used for profiteering.”

      In your arguments, let’s replace the word “patient” with “customer.”

      And then replace “Walgreens” with “Amazon.”

      Does the argument still work ? Can we make a compelling case that, in the absence of some explicit “fair use” binding agreement between a business and its customers, Amazon (or Home Depot or American Express etc) can’t profit further by internally slicing and dicing their customer transaction data for cross-selling opportunities, or can’t sell that data (suitably anonymized) to other entities who believe that data has value for some different commercial purpose/s ?

      I’m not a lawyer, but I think that’s a really tough argument to make.

      (Whether or not data is SUFFICIENTLY sanitized is a different issue.)

    • Doug Laney says:

      Gary, You’re way off. When you agree to do business with an entity, any entity, the transaction data is *theirs* (as Doug D smartly points out). Yes, HIPAA regulations specify what a healthcare provider or transmitter can do with the personal health info (PHI), and how they must secure it. None of this jives with your rant. Also, you might consider that companies profiting from our aggregate/privatized PHI are in a better position to invest in innovation, thereby servicing us better and improving our health. Therefore, I would like to insist/encourage that my PHI is mined, otherwise the data is just stagnant and useless to me and everyone else.

  7. Ketan Patel says:

    Next lawsuit for HIPAA violation: http://www.practicefusion.com

  8. I am one of 3 primary care physicians in a in ndependent primary care practice that has transitioned completely to EHR. I have been in practice for 33 years as an independent practicioner.. “Back-up” now takes approximately 3.5 hours during which time access to patient care records is denied. Aside from the liability issue this presents, access to critical care information is essential. What solutions are economically feasible for a small independant practice?….Rich

  9. Doug Laney says:

    David, I’d like to see the actual answer to the question you pose in the title of your piece.

Leave a Reply

MASTHEAD


Matthew Holt
Founder & Publisher

John Irvine
Executive Editor

Jonathan Halvorson
Editor

Alex Epstein
Director of Digital Media

Munia Mitra, MD
Chief Medical Officer

Vikram Khanna
Editor-At-Large, Wellness

Maithri Vangala
Associate Editor

Michael Millenson
Contributing Editor










About Us | Media Guide | E-mail | 415.562.7957 | Support THCB
© THCB 2005-2013
WRITE FOR US

We're looking for bloggers. Send us your posts.

If you've had a recent experience with the U.S. health care system, either for good or bad, that you want the world to know about, tell us.

Have a good health care story you think we should know about? Send story ideas and tips to editor@thehealthcareblog.com.

ADVERTISE

Want to reach an insider audience of healthcare insiders and industry observers? THCB reaches 500,000 movers and shakers. Find out about advertising options here.

Questions on reprints, permissions and syndication to ad_sales@thehealthcareblog.com.

THCB CLASSIFIEDS

Reach a super targeted healthcare audience with your text ad. Target physicians, health plan execs, health IT and other groups with your message.
ad_sales@thehealthcareblog.com
WORK FOR US

Interested in the intersection of healthcare, technology and business? We're looking for talented interns to work in our San Francisco offices. Get in touch.

Wordpress guru? We're looking for a part time web-developer to help take THCB to the next level. Drop us a line.

BLOGROLL

If you'd like to be considered for our Blogroll, drop us an email and we'll take a look. While you're at it, why not add us to yours?

SUPPORT
Let us know about a glitch or a technical problem.

Report spam or abuse here.

Sign up for the THCB Reader here.
Log in - Powered by WordPress.