"New Perils of Sharing or Selling Prescription Information"

[Peter Marshall <techdiff@ix.netcom.com>]

http://www.medscape.com/SCP/DBT/1998/v10.n08/d4241.mein/d4241.mein-01.html.

New Perils of Sharing or Selling Prescription Information

Robyn A. Meinhardt, RN, JD, Kimberly Applequist, JD, Paula C. Ohliger, JD

[Drug Benefit Trends 10(8):27-28, 1998. © 1998 SCP Communications, Inc.]

Introduction

Although the right to privacy is as American as apple pie, we are currently
debating just how much privacy we can afford, at least when it comes to
health information. The various federal initiatives addressing the issue of
confidentiality of patient health information have recently received much
attention. In June, this column highlighted one of the several proposed
federal bills that address this issue.[1]

Both current federal law and the pending federal bills define "health
information" as encompassing records associated with prescribing and
dispensing pharmaceuticals and, to the extent that PBMs "furnish health care
services or supplies," consider PBMs to be "health care providers."[2]
However, PBMs may need to look no further than their own state law to find
potential legal issues regarding disclosure of patient prescription
information. For example, in California, any "person who transmits,
maintains, or receives any prescription or prescription refill, orally, in
writing, or electronically, shall ensure the security, integrity and
confidentiality of the prescription and any information contained
therein."[3] California's regulatory scheme also provides that "No
pharmacist shall exhibit, discuss, or reveal the contents of any
prescription, the therapeutic effect thereof, the nature, extent, or degree
of illness suffered by any patient or any medical information furnished by
the prescriber with any person other than the patient or his or her
authorized representative, the prescriber or other licensed practitioner
then caring for the patient, another licensed pharmacist serving the
patient, or a person duly authorized by law to receive such information."[4]
Thus, California law narrowly limits disclosures of health information by
pharmacists and PBMs. Similarly, in Washington State pharmacy prescription
records are to be "for confidential use in the pharmacy only."[5]

Certainly, state laws protecting pharmacy-related health information are not
uniform-a problem that the proposed federal health information legislation
would partially address. As recent events demonstrate, however, prescription
information may be protected from disclosure even absent explicit state laws
regarding such information.

Weld and Kelly v. CVS Pharmacy, Inc., Elensys, and Glaxo Wellcome, et al

CVS Pharmacy, Inc. (the large drugstore chain), Elensys Care Services, Inc.
(a direct-mail marketing company), and Glaxo Wellcome Inc. (the large
pharmaceutical manufacturer) are currently defendants in a class action
lawsuit alleging breach of privacy based on disclosure of patient
prescription information.[6] The CVS lawsuit followed on the heels of a
February 1998 story in The Washington Post, which "exposed" a similar
marketing arrangement between Elensys and Giant Food, Inc., a supermarket
chain that operates pharmacies within its stores.

According to documents filed in the Weld case, CVS contracted with Elensys
to organize targeted mailings to certain prescription drug customers. In the
mailing, patients were reminded to refill their prescriptions and were also
provided with information about drugs that they might be interested in,
based on their previous purchases of prescription drugs. The plaintiff's
amended complaint contends that Elensys' direct mailing campaign
specifically focused on CVS customers who fit specified criteria for use of
certain drugs, such as Glaxo Wellcome's new prescription smoking cessation
pill, Zyban.

In the press, CVS has defended its direct-mailing practice, explaining that
the arrangement with Elensys was part of an effort to educate customers
about various medications and to increase customer compliance with the
regimens. CVS claims that it never shared customers' medical histories with
Elensys or violated any state confidentiality regulations. Furthermore,
according to the 3 defendant companies, Glaxo Wellcome was not given any
patient-identifiable information. CVS also says that its customers were
asked whether they were interested in receiving letters about new products,
and that mailings were sent only to those customers who gave permission.

While the Weld lawsuit is only in the beginning stages of litigation, it may
already have had its intended effect: Both CVS and Giant terminated their
arrangements with Elensys this past February.

The Weld action was brought in Massachusetts, which does not explicitly
prohibit by statute or regulation the disclosure of prescription information
by a pharmacy; like many states, Massachusetts' protections for
pharmacy-related health information focus on pharmacists.[7] So CVS
customers Weld and Kelly have based their action on Massachusetts' statutory
right to privacy and several common-law theories. Specifically, Weld has
alleged, among other things, the following claims:

   * Violation of Mass. Gen. Laws. Ann., Ch. 214, §1B, providing that "a
     person shall have a right against unreasonable, substantial or serious
     interference with his privacy";

   * Breach of CVS's common-law duty and fiduciary duty to its customers to
     maintain the confidentiality of customer prescription and other
     personal medical information;

   * The release of confidential prescription information violates Mass.
     Gen. Laws. Ch. 93A, §2, prohibition on "unfair methods of competition
     and unfair practices in the conduct of any trade or commerce"; and

   * Tortious misappropriation of private as well as personal information.

Implications of the Weld Case for PBMs

To begin with, PBMs often possess patient prescription information that
could be of value to drug manufacturers or other health care organizations;
however, given the fall-out from CVS's arrangement, PBMs share or sell such
information without patient consent at their peril. Moreover, when a
pharmaceutical manufacturer owns a PBM company (as is the case with Merck,
which owns Medco, or Eli Lily, which owns PCS Health Systems), special
attention must be given to keeping individual health information
confidential. Attempts to obtain patient consent to disclosures of health
information between such entities must comply with state and federal law. On
the other hand, "anonymized" health information (from which all identifiers
of the individual have been eliminated) is not subject to disclosure
prohibitions or consent requirements, and may be all that is necessary for
certain marketing predictions and other uses.

Databases of health information can be extremely valuable to organizations
seeking to position themselves to benefit from current and future health
care needs. Nonetheless, organizations that control confidential information
must carefully consider whether and under what circumstances such
information can be used or disclosed.

[....]

References

  1. Senate Bill 1921, the proposed Health Care Personal Information
     Nondisclosure Act of 1998, by Senator James Jeffords (R-Vt).

  2. See, for example, the Health Insurance Portability and Accountability
     Act of 1996, 42 US Code §1320d(3) and (4).

  3. Calif. Regs. Code, Title 16, §1717.4.

  4. Calif. Regs. Code, Title 16, §1764.

  5. Wash. Rev. Code Ann., §18.64.245.

  6. Weld and Kelly vs. CVS Pharmacy, Inc., et al: Civil Action No.
     98-0897-F, Superior Court Department of the Trial Court, Commonwealth
     of Massachusetts.

  7. Mass. Regs. Code, Title 247, §9.01(19)(1998).

  ---------------------------------------------------------------------
Copyright © 1994-1998 by the publishers involved.