Who Owns Patient Data?

Walgreens is being sued by customers who are not happy that their prescription information – even though it has been de-identified – is being sold by Walgreens to data-mining companies.

The data privacy and security concerns surrounding the transfer of de-identified data are significant.  To “de-identify” what is otherwise protected health information under HIPAA, some outfits will simply strip data of 18 types of identifiers listed in federal regulations.  However, the relevant regulation (45 CFR 164.514(b)(2)(ii)) also provides that this only works if “the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.” Thus, the problem with this approach is that, these days, nobody can disclaim knowledge of the fact that information de-identified by removing this cookbook list of 18 identifiers may be re-identified by cross-matching data with other publicly-available data sources. There are a number of reported instances of this sort of thing happening. The bottom line is that our collective technical prowess has outstripped the regulatory safe harbor.

Is this the basis of the lawsuit brought against Walgreens?  An objection to trafficking in health information that should remain private?  No.  The plaintiff group of customers is suing to share in the profits realized by Walgreens from trading in the de-identified data.

While I haven’t pored over the papers filed in this case, my guess is that there’s enough legal boilerplate in the Walgreens HIPAA notice of privacy practices given out and signed for up front by patients who fill prescriptions so that they do not have a claim worth much more than nuisance value.

This case reminds me of the landmark case of Moore v. Regents of the University of California, decided about twenty years back, where a leukemia patient wanted to share in the profits from a line of cells grown from cells harvested from his body by researchers who told him that his return hospital visits were for checkups and monitoring only.  He lost.

The specific governing rules in play are different, but I don’t see how the ultimate result would be much different this time around, especially since the Walgreens plaintiffs were probably given more information about how their goods might be used (in the notice of privacy practices) than Moore ever was.

Nobody asked me, but I would think that a more productive line of inquiry would lie with figuring out whether the data that is being sold – patient gender, state and age group; name of drug prescribed; and ID number of prescribing physician – could be combined with other data available out there to the folks buying these data from Walgreens and used to re-identify patient records.  Given the slightly-differently-de-identified insurance company records that are out there, and the profit motive of the data-mining companies, I would not be surprised if at least some of these de-identified records were easily re-identified, thus exposing Walgreens to liability for HIPAA violations.  The data-mining companies are almost certainly re-identifying the physicians, since that’s where the value in this whole exercise lies: targeted marketing to physicians based on their prescribing patterns.  (Regarding re-identification of patient information, consider the case of the Netflix prize, where de-identified video rental data could be re-identified by cross-matching with online consumer movie reviews – “Simply removing names does not ensure that data will remain anonymous. And the implications stretch far beyond the world of Netflix.”)   Of course, HIPAA violations just yield a fine, payable to the government (and we know how useful HIPAA CMPs can be in ensuring compliance) – there is no third-party liability under HIPAA – so it would be a stretch to translate them into a plaintiffs’ verdict involving cash.

David Harlow writes at HealthBlawg, a nationally-recognized health care law and policy blog. He is an attorney and lectures extensively on health law topics to attorneys and to health care providers. Prior to entering private practice, he served as Deputy General Counsel of the Massachusetts Department of Public Health.

Categories: Uncategorized

Tagged as: , , ,

11 replies »

  1. I am one of 3 primary care physicians in a in ndependent primary care practice that has transitioned completely to EHR. I have been in practice for 33 years as an independent practicioner.. “Back-up” now takes approximately 3.5 hours during which time access to patient care records is denied. Aside from the liability issue this presents, access to critical care information is essential. What solutions are economically feasible for a small independant practice?….Rich

  2. Regardless of how the industry uses or abuses patient records for profit. The aggregate use for profit collection seems unethical and a betrayal of the Patients trust. However, who says this industry has scrupples or ethics either.
    Data Mining is for profit only and has No Medical Value. Clearly, it is a shameful act of secondary profitteering . Surely companies can not bitich about pirating when they,themselves are complicit in the same act. I don’t care how you package crap,tie it in a bow and market it . Its still crap!
    Records are the personal property of the patient as they pay for the service.They also pay for the records that unique to them alone. These records should not be used for profiteering.
    The more anyone anaylizes this industry we find cracks in the ethical use of records, exploitation of symptom based practices to target the bankruptcy of patients, and the extension of treatments and tests to maximize. Truth be known ; Cures are only advertised for sympathy of the Consumer. However, there is NO MONEY IN CURES!!!!! So the practice is designed to pass patients onto a maze of needless test, treatments,and pharma that gives the presense of doing something. Really, the art of Medical Science has become a commercial sale and dispassionate suiters of patients.

    • Gary Lampman wrote: “Records are the personal property of the patient as they pay for the service.They also pay for the records that unique to them alone. These records should not be used for profiteering.”

      In your arguments, let’s replace the word “patient” with “customer.”

      And then replace “Walgreens” with “Amazon.”

      Does the argument still work ? Can we make a compelling case that, in the absence of some explicit “fair use” binding agreement between a business and its customers, Amazon (or Home Depot or American Express etc) can’t profit further by internally slicing and dicing their customer transaction data for cross-selling opportunities, or can’t sell that data (suitably anonymized) to other entities who believe that data has value for some different commercial purpose/s ?

      I’m not a lawyer, but I think that’s a really tough argument to make.

      (Whether or not data is SUFFICIENTLY sanitized is a different issue.)

    • Gary, You’re way off. When you agree to do business with an entity, any entity, the transaction data is *theirs* (as Doug D smartly points out). Yes, HIPAA regulations specify what a healthcare provider or transmitter can do with the personal health info (PHI), and how they must secure it. None of this jives with your rant. Also, you might consider that companies profiting from our aggregate/privatized PHI are in a better position to invest in innovation, thereby servicing us better and improving our health. Therefore, I would like to insist/encourage that my PHI is mined, otherwise the data is just stagnant and useless to me and everyone else.

  3. David,
    I do agree that the value of each prescription is minimal, but it is not zero. A batch of 1 million scripts is significantly more valuable than a batch of say, 50,000 scripts. Therefore the value of each script can be assessed.
    I don’t think the plaintiff or the attorneys are expecting a windfall here, and if you look at the history of cases this particular firm brought in the past, you will see that they are on some sort of mission here.
    One empty soda can is worthless. A truck full of soda cans has financial value. This does not give the truck driver license to raid my kitchen and take my soda cans unless I explicitly give him permission to do so.
    There are HIT companies out there that make users sign “terms of use” agreements where the user is assigning all commercial value of the data to the technology company. Why would that be necessary if there is no value in individual data?
    And by the way, the plaintiff is asserting that their doctor-patient relationship was damaged due to the defendant actions. It was one of the “harms” enumerated to support unjust enrichment.

  4. @Margalit – It seems to me that the passage of specific laws on the issue in Maine, New Hampshire and Vermont fuel the notion that without specific legislation the pharmacies are free to do what they’re doing. The relevance of the Moore case is that his claim was: My cells, my $$, and the court said: Since the docs and medical center did something to the cells to make them saleable, they owned the value created there. Similarly, a single prescription record is valuable only to the individual patient, but the aggregated, de-identified (or not …) database, created by Walgreens in this case with its hardware/software, has value to others. Since the plaintiffs are not making the privacy argument, but the “pay us for the commercial value of our data” argument, the claim seems to me to fall flat. The fact that this is brought as a class action highlights my point: No individual plaintiff has a claim worth bringing. What is the value of a single prescription record? Not bloody much. The lead plaintiff and the plaintiffs’ attorney could make some money if the case were successful, but each member of the class would stand to win bupkes.

    @DeterminedMD – Please note that the patients in this case are not seeking to preserve the sanctity of the physician-patient relationship, they are simply seeking to share in the value of the aggregated data.

    @Privacy Fiend – As noted in the post, I agree with you that the data was arguably not de-identified, and that in fact it may not be possible to de-identify data and still make it useful in this context.

  5. Unfortunately, the basic (and false) premise that a de-identified data set was produced is not valid (According to HIPAA anyway).

    The 18th identifier to be removed is “Any other unique identifying
    number, characteristic, or code, except as permitted by paragraph (c) of this

    I am certain that Walgreens did not remove all the quasi-identifiers present in their data and thus did not produce a HIPAA-compliant data set

  6. Again, it is not about the money, but stopping the intrusion into patient-physician treatment decisions that are not about profit but improving health. Doubt any of the pharmaceutical efforts are interested in care decisions first, but sales and profit margins as the prime focus for trolling for this information.

    Hey, if you want to know what I write for, here’s an idea, come to my office and ASK ME! Maybe I won’t tell you, but isn’t that my right, my choice, and my request for whatever anonymity I can have as a provider?

    The rude and insensitive reply is, “not if I can profit from your choices, irregardless if it benefits anyone else besides me and my company!!!”

  7. Hi David, you should probably read the briefs, or my post below :-). This is not at all like the leukemia patient case. I may be overly optimistic, but I think they have a little bit of a chance to prevail, and at the very least pioneer a new way to look at this issue.

Leave a Reply

Your email address will not be published. Required fields are marked *