THCB

Who Owns Patient Data?

Walgreens is being sued by customers who are not happy that their prescription information – even though it has been de-identified – is being sold by Walgreens to data-mining companies.

The data privacy and security concerns surrounding the transfer of de-identified data are significant.  To “de-identify” what is otherwise protected health information under HIPAA, some outfits will simply strip data of 18 types of identifiers listed in federal regulations.  However, the relevant regulation (45 CFR 164.514(b)(2)(ii)) also provides that this only works if “the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.” Thus, the problem with this approach is that, these days, nobody can disclaim knowledge of the fact that information de-identified by removing this cookbook list of 18 identifiers may be re-identified by cross-matching data with other publicly-available data sources. There are a number of reported instances of this sort of thing happening. The bottom line is that our collective technical prowess has outstripped the regulatory safe harbor.

Is this the basis of the lawsuit brought against Walgreens?  An objection to trafficking in health information that should remain private?  No.  The plaintiff group of customers is suing to share in the profits realized by Walgreens from trading in the de-identified data.

While I haven’t pored over the papers filed in this case, my guess is that there’s enough legal boilerplate in the Walgreens HIPAA notice of privacy practices given out and signed for up front by patients who fill prescriptions so that they do not have a claim worth much more than nuisance value.

This case reminds me of the landmark case of Moore v. Regents of the University of California, decided about twenty years back, where a leukemia patient wanted to share in the profits from a line of cells grown from cells harvested from his body by researchers who told him that his return hospital visits were for checkups and monitoring only.  He lost.

The specific governing rules in play are different, but I don’t see how the ultimate result would be much different this time around, especially since the Walgreens plaintiffs were probably given more information about how their goods might be used (in the notice of privacy practices) than Moore ever was.

Nobody asked me, but I would think that a more productive line of inquiry would lie with figuring out whether the data that is being sold – patient gender, state and age group; name of drug prescribed; and ID number of prescribing physician – could be combined with other data available out there to the folks buying these data from Walgreens and used to re-identify patient records.  Given the slightly-differently-de-identified insurance company records that are out there, and the profit motive of the data-mining companies, I would not be surprised if at least some of these de-identified records were easily re-identified, thus exposing Walgreens to liability for HIPAA violations.  The data-mining companies are almost certainly re-identifying the physicians, since that’s where the value in this whole exercise lies: targeted marketing to physicians based on their prescribing patterns.  (Regarding re-identification of patient information, consider the case of the Netflix prize, where de-identified video rental data could be re-identified by cross-matching with online consumer movie reviews – “Simply removing names does not ensure that data will remain anonymous. And the implications stretch far beyond the world of Netflix.”)   Of course, HIPAA violations just yield a fine, payable to the government (and we know how useful HIPAA CMPs can be in ensuring compliance) – there is no third-party liability under HIPAA – so it would be a stretch to translate them into a plaintiffs’ verdict involving cash.

David Harlow writes at HealthBlawg, a nationally-recognized health care law and policy blog. He is an attorney and lectures extensively on health law topics to attorneys and to health care providers. Prior to entering private practice, he served as Deputy General Counsel of the Massachusetts Department of Public Health.

Livongo’s Post Ad Banner 728*90

Categories: THCB

Tagged as: , , ,

11
Leave a Reply

9 Comment threads
2 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
9 Comment authors
Doug LaneyRichard Traister,M.D.Doug DKetan PatelGary Lampman Recent comment authors
newest oldest most voted
Doug Laney
Guest

David, I’d like to see the actual answer to the question you pose in the title of your piece.

Richard Traister,M.D.
Guest

I am one of 3 primary care physicians in a in ndependent primary care practice that has transitioned completely to EHR. I have been in practice for 33 years as an independent practicioner.. “Back-up” now takes approximately 3.5 hours during which time access to patient care records is denied. Aside from the liability issue this presents, access to critical care information is essential. What solutions are economically feasible for a small independant practice?….Rich

Ketan Patel
Guest
Ketan Patel

Next lawsuit for HIPAA violation: http://www.practicefusion.com

Gary Lampman
Guest
Gary Lampman

Regardless of how the industry uses or abuses patient records for profit. The aggregate use for profit collection seems unethical and a betrayal of the Patients trust. However, who says this industry has scrupples or ethics either. Data Mining is for profit only and has No Medical Value. Clearly, it is a shameful act of secondary profitteering . Surely companies can not bitich about pirating when they,themselves are complicit in the same act. I don’t care how you package crap,tie it in a bow and market it . Its still crap! Records are the personal property of the patient as… Read more »

Doug D
Guest
Doug D

Gary Lampman wrote: “Records are the personal property of the patient as they pay for the service.They also pay for the records that unique to them alone. These records should not be used for profiteering.” In your arguments, let’s replace the word “patient” with “customer.” And then replace “Walgreens” with “Amazon.” Does the argument still work ? Can we make a compelling case that, in the absence of some explicit “fair use” binding agreement between a business and its customers, Amazon (or Home Depot or American Express etc) can’t profit further by internally slicing and dicing their customer transaction data… Read more »

Doug Laney
Guest

Gary, You’re way off. When you agree to do business with an entity, any entity, the transaction data is *theirs* (as Doug D smartly points out). Yes, HIPAA regulations specify what a healthcare provider or transmitter can do with the personal health info (PHI), and how they must secure it. None of this jives with your rant. Also, you might consider that companies profiting from our aggregate/privatized PHI are in a better position to invest in innovation, thereby servicing us better and improving our health. Therefore, I would like to insist/encourage that my PHI is mined, otherwise the data is… Read more »

Margalit Gur-Arie
Guest

David, I do agree that the value of each prescription is minimal, but it is not zero. A batch of 1 million scripts is significantly more valuable than a batch of say, 50,000 scripts. Therefore the value of each script can be assessed. I don’t think the plaintiff or the attorneys are expecting a windfall here, and if you look at the history of cases this particular firm brought in the past, you will see that they are on some sort of mission here. One empty soda can is worthless. A truck full of soda cans has financial value. This… Read more »

David Harlow
Guest

@Margalit – It seems to me that the passage of specific laws on the issue in Maine, New Hampshire and Vermont fuel the notion that without specific legislation the pharmacies are free to do what they’re doing. The relevance of the Moore case is that his claim was: My cells, my $$, and the court said: Since the docs and medical center did something to the cells to make them saleable, they owned the value created there. Similarly, a single prescription record is valuable only to the individual patient, but the aggregated, de-identified (or not …) database, created by Walgreens… Read more »

Privacy Fiend
Guest
Privacy Fiend

Unfortunately, the basic (and false) premise that a de-identified data set was produced is not valid (According to HIPAA anyway).

The 18th identifier to be removed is “Any other unique identifying
number, characteristic, or code, except as permitted by paragraph (c) of this
section;”

I am certain that Walgreens did not remove all the quasi-identifiers present in their data and thus did not produce a HIPAA-compliant data set

DeterminedMD
Guest
DeterminedMD

Again, it is not about the money, but stopping the intrusion into patient-physician treatment decisions that are not about profit but improving health. Doubt any of the pharmaceutical efforts are interested in care decisions first, but sales and profit margins as the prime focus for trolling for this information. Hey, if you want to know what I write for, here’s an idea, come to my office and ASK ME! Maybe I won’t tell you, but isn’t that my right, my choice, and my request for whatever anonymity I can have as a provider? The rude and insensitive reply is, “not… Read more »

Margalit Gur-Arie
Guest

Hi David, you should probably read the briefs, or my post below :-). This is not at all like the leukemia patient case. I may be overly optimistic, but I think they have a little bit of a chance to prevail, and at the very least pioneer a new way to look at this issue.