The Identity Theft Smoke Screen

Personal data privacy once again has taken front stage in Sorrel v. IMS Health, Inc.[1] Vermont passed the Vermont Confidentiality of Prescription Information Law that allows doctors which prescribe drugs to patients, to decide whether pharmacies can sell their prescription drug prescription records.[2] IMS Health as well as other health information companies contested the law, arguing that the law poses a restriction on commercial speech as access to such information helps pharmaceutical companies market their drugs effectively to doctors. The Supreme Court is now tasked with determining the constitutionality of the restriction on access to prescription information with regards to our First Amendment. [3]

However, this post is focused on the secondary effects asserted in amici curiae briefs supporting the petitioners of allowing companies to purchase such information, specifically the concern of data privacy and patient re-identification. [4] Under the Health Information Portability and Accountability Act (HIPAA), personal health information is de-identified by your local pharmacy prior to such information being shared with any third party. By de-identifying the data, your personal data cannot, it is believed, be linked or traced back to you. De-identifying your health information is a way for covered entities to share your information without your consent or authorization and in accordance with the law. The information once shared is completely anonymized. After the transfer to a third party, like IMS Health, your information is solely data of zeros and ones that translate to dates of dispensing and drug names. No longer does your prescription record list your name or month or day of birth. [5]

Briefs in the case assert that data mining firms could, hypothetically, create profiles based on these de-identified prescription records. Such prescription profiles would constitute certain patient’s prescription habits, including an individual’s medication types, pharmacies visited and dates dispensed. The briefs argue that linking and mining further public information to these drug profiles could result in patient re-identification.

IMS Health, Inc., of course, asserts that it has no knowledge of any patient re-identification and it protects such records with all the security privacy measures set forth under HIPAA and as strengthened by Health Information Technology for Economic and Clinical Health Act (HITECH). So what is the issue, I ask?

A pharmaceutical company does not need nor want to know who you are. Aggregate data is more beneficial to a marketing company, rather than just one record with your name on it. What benefit would a company get from a record that says, John Doe, DOB: 01-Jan-1984? The company could send you a mailer, but under the current regulations, you can opt out of the marketing material and it stops there. However, what helps a pharmaceutical company is aggregate datasets that say Dr. Jane Doe, MD writes 100 scripts for Lipitor ® a month. No one cares if the patients are unidentifiable, and most likely, the pharmaceutical company wants to keep it that way. Not only will the de-identified data be cheaper to buy, but it also assures the third party purchasing the data that it is not aiding a HIPAA violation.

Last, it is also asserted that there is no penalty for re-identification of personal health data, but there are stark penalties under HIPAA for “a person who knowingly … (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person.” [6] If the offense is committed with the intent to sell, transfer or use the individually identifiable health information for commercial advantage, the penalty could be up to $250,000 and 10 years imprisonment. [7] If claims are brought against companies, like IMS Health, the companies will surely argue they are not covered entities subject to the penalties under HIPAA; however, this does not prevent civil lawsuits against them.

What will happen if a breach occurs due to patient re-identification? Most likely, the current healthcare environment where many companies are acting under corporate integrity agreements or deferred prosecution agreements, promotes reporting, if not out of altruistic purpose at least a compliance purpose. With this said, once reported to both the Department of Health and Human Services, Office of Civil Rights, as well as, in most states, the Secretary of state, privacy and confidentiality laws require notification to be provided to the patient that has been re-identified. This patient whose privacy rights have been infringed can then bring an individual civil claim against the organization responsible for the disclosure of their health information as well as the collateral damages caused by the unauthorized disclosure. Now, what company today wants to get involved with this type of bad publicity?

In conclusion, just because the possibility exists that a patient can be re-identified with data mining practices, does not mean that our current environment will foster such. The nine Justices of the Supreme Court need to be more concerned with the First Amendment and the commercial speech implications of their ruling, rather than amici curiae briefs supporting public policy positions based on unwarranted fears of patient information disclosure.[8]

I therefore urge you to put yourself in the role of your favorite Justice and consider if you should be more concerned that a company is going to buy your prescription records and try to determine that you took amoxicillin for a sinus infection when you were five years old, or if that company would rather purchase all the information you posted on Facebook ® or other social networking sites, including all the locations you have checked in. Which do you think is more useful to market its products? It is with this mindset that you must consider if the regulation directly advances the governmental interest “in protecting the public health of Vermonters, … the privacy of prescribers and prescribing information” and is no more extensive than necessary to serve that interest. [9]

This post first appeared on Health Reform Watch, the web log of the Seton Hall University School of Law, Health Law & Policy Program.

Christopher J. Asakiewicz, JD, works for ImClone Systems Corporation, an affiliate of Eli Lilly and Company. He graduated from Seton Hall Law in 20011 with a concentration in Health Law.

3 replies »

  1. I’ve long regarded Margalit’s notions regarding health info privacy/security as misguided at best. But – like a stopped clock? – she may, simply by the accumulation of her rhetorical questions concerning the goals and efficacy of Rxco prescription datamining efforts, be verging on something valid here; namely, that all the Rxcos interest in masses of granular prescription data is misplaced – that it probably does not improve their ability to win clinical friends and influence people (to buy more of their wares), and even if it does, it does not do so by all that much.

    In that way, she’s probably sidling up to something like alignment with the original poster. Strange med-fellows, you might say….

  2. Several points:
    Re-identification of “de-identified” data is pretty easy to accomplish nowadays. Perhaps drug companies are not interested in individual patients (how surprising), but others may be.
    This is not about “amoxicillin for a sinus infection”. It is about prescriptions for diseases such as mental disease, addiction, STD to name just a few.
    The fact that one can obtain one set of data from another source, does not imply that all your personal information is now fair game, and quite the opposite is true, since data from other sources can be used to better re-identify your medical records.

    “…just because the possibility exists that a patient can be re-identified with data mining practices, does not mean that our current environment will foster such”, which I assume means that we should have no law to prevent “such”. The “current environment” where I live does not “foster” assault and robbery. Should we dispense with criminal law in my neighborhood? It really never happens here….

    I don’t see why drug companies cannot tend to their “marketplace of ideas” without finding out which doctor does not prescribe enough of their products. The information is only used to better target those who are trying to do their part and reduce health care costs by prescribing generics, and those misguided souls who dare prescribe competitors’ products. Why not go ahead and “educate” all doctors? You know their specialty, so you know which of your products they may be prescribing (or not). Looks like a pretty free “marketplace” to me.

    Besides, it could be argued that how a physician treats a particular disease is his/her intellectual property. What right does anybody have to purchase that IP from a third party (pharmacy) who came into possession of such property due to State law forcing the doctor to disclose it?

    This is not about freedom of speech. Nobody is stopping pharma reps from speaking as best they can. Vermont is trying to assert that physicians should be free to decide whether they want to help your rep speak, or not. I don’t believe there is a constitutional right to receive help from the audience while speaking.

  3. “However, what helps a pharmaceutical company is aggregate datasets that say Dr. Jane Doe, MD writes 100 scripts for Lipitor ® a month.”

    What about my privacy as a physician? It’s no pharmaceutical company’s business what my prescribing practices are. The AMA must be faulted for their role in selling physician data, and forcing us to opt out rather than in. The legal protections provided in the Vermont law would extend not just to patients but to physicians.