[Med-privacy] Prescription Data and Privacy

Thu, 24 Jan 2008 15:17:18 -0800

==============================================
  Federal Appellate Court Hears Case on Prescription Data and Privacy
==============================================

Earlier this month, the First Circuit Court of Appeals heard oral
arguments in a case concerning a New Hampshire state law banning the
sale of prescribe-identifiable prescription drug data for marketing
purposes. In August, EPIC and 16 experts in privacy and technology filed
a "friend of the court" brief urging the First Circuit Court of Appeals
to reverse the ruling of the lower court, which held that the NH
Prescription Confidentiality Act violated the free speech rights of data
mining companies.

On June 30, 2006, the New Hampshire legislature unanimously passed the
Prescription Confidentiality Act, which prohibits prescription
information records that contain patient- or prescriber-identifiable
data from being transferred, licensed, sold, or used for most commercial
purposes. This includes marketing, advertising, and other forms of
promotion. The Act specifically bars the use of prescriber-identifiable
data for "physician detailing," which involves the sale of patient
prescription records to datamining firms that generate sales leads for
pharmaceutical companies. The Act explicitly permitted the use of this
data for such non-commercial purposes as research and education.

The Plaintiffs-Appellees, IMS Health and Verispan, are both data mining
companies which purchase and compile prescription information in order
to sell the data. In the District Court, IMS Health and Verispan alleged
that the new Act violated their First Amendment right to free speech,
claiming that: 1) the law was subject to strict scrutiny because it
provided a content-based restriction on non-commercial free speech; 2)
the law violated the First Amendment because it was not narrowly
tailored to serve compelling state interests; and 3) if the judge
determined that the law was subject to intermediate scrutiny because it
only restricted commercial speech, it still did not advance a
substantial government interest in a narrowly tailored way.

In the State's defense, the Attorney General argued: 1) that the law did
not implicate the First Amendment because it did not regulate speech;
and even if the Act did implicate speech, 2) the law should survive
intermediate scrutiny because it advanced the State's substantial
interests in promoting public health, controlling health care costs and
protecting the privacy of patients and doctors, while still allowing the
data to be used for non-commercial purposes. The District Court rejected
all of the Attorney General's arguments, finding that the government did
not have an interest in "preventing the dissemination of truthful
commercial information" and that the law was more expansive than
necessary to promote the State's interests. The District Court held that
the Act did not advance a substantial interest in protecting the privacy
of patients and health care providers. New Hampshire appealed to the
First Circuit Court of Appeals, which will soon hear the case.

There are approximately 1.4 million health care providers in the United
States. These providers write billions of prescriptions each year for
more than 8,000 different pharmaceutical products, which are filled at
54,000 retail pharmacies throughout the country. For every prescription
they fill, the retail pharmacies acquire records, which include: patient
name; prescriber identification; drug name; dosage requirement;
quantity; and date filled. In order to comply with federal and state
privacy laws, patient-identifying information is encrypted and
de-identified, often with software installed by the datamining companies
themselves. The rest of the prescription record remains intact. Thus, a
patient's entire drug history is correlated, and each provider can be
identified along with its prescribing habits. This practice raises
privacy concerns for both patients and health care providers, said EPIC
and the 16 experts in their brief.

EPIC and the experts said the lower court should be reversed, because it
failed to consider the substantial privacy interest in de-identified
patient data. Although de-identification measures are increasingly
innovative and computationally complex, patient data is still vulnerable
to attacks because sophisticated re-identification programs are also
being developed, the experts said. Individuals can be re-identified
using information such as zip code, date of birth, and gender and then
comparing that data to publicly available information. Such information
is easily accessible via birth and death records, incarceration reports,
voter registration files, and driver's license information.

This privacy interest in part flows from the reality that data may not
be, in fact, truly de-identified, and also because de-identified data
does impact actual individuals. The experts explained that (1) the
information is not truly anonymized; (2) as a result, there are real
dangers to patient privacy in having this data trade, and therefore (3)
the state interest in protecting patient privacy, ignored by the court
below, requires reversal.

Also this month, the nation's first law requiring consumer notification
of security breaches concerning medical data went into effect.
California's AB1298 expands the state's data breach notification law to
include: unencrypted medical histories, mental or physical conditions,
medical treatments and diagnoses, unencrypted insurance policy or
subscriber numbers, applications for insurance, and claims histories and
appeals. The law applies to all state agencies and companies that do
business with state residents.

California's AB1298, expanding state data breach notification law to
include medical information (pdf):

      http://www.epic.org/redirect/AB1298.html

Amicus Brief of EPIC and 16 Experts in Privacy Law and Technology
(August 20, 2007) (pdf):

      http://www.epic.org/privacy/imshealth/epic_ims.pdf

Opinion of the District Court (April 30, 2007) (pdf):

      http://www.epic.org/privacy/imshealth/dist_ct_op.pdf

New Hampshire Prescription Confidentiality Act:

      http://www.gencourt.state.nh.us/legislation/2006/HB1346.html

EPIC's page on IMS Health v. Ayotte:

      http://www.epic.org/privacy/imshealth/

[EPIC]