[Med-privacy] prescription privacy

[peter marshall]

  Prescription Data Used To Assess Consumers
Records Aid Insurers but Prompt Privacy Concerns

By Ellen Nakashima
Washington Post Staff Writer
Monday, August 4, 2008; A01

Health and life insurance companies have access to a powerful new tool=20=

for evaluating whether to cover individual consumers: a health "credit=20=

report" drawn from databases containing prescription drug records on=20
more than 200 million Americans.

Collecting and analyzing personal health information in commercial=20
databases is a fledgling industry, but one poised to take off as the=20
nation enters the age of electronic medical records. While lawmakers=20
debate how best to oversee the shift to computerized records, some=20
insurers have already begun testing systems that tap into not only=20
prescription drug information, but also data about patients held by=20
clinical and pathological laboratories.

Traditionally, insurance companies have judged an applicant's risk by=20
gathering medical records from physicians' offices. But the new tools=20
offer the advantage of being "electronic, fast and cheap," said Mark=20
Franzen, managing director of Milliman IntelliScript, which provides=20
consumers' personal drug profiles to insurers.

The trend holds promise for improved health care and cost savings, but=20=

privacy and consumer advocates fear it is taking place largely outside=20=

the scrutiny of federal health regulators and lawmakers.

Ingenix, a Minnesota-based health information services company that had=20=

$1.3 billion in sales last year -- and Wisconsin-based rival Milliman=20
-- say the drug profiles are an accurate, less expensive alternative to=20=

seeking physician records, which can take months and hundreds of=20
dollars to obtain. They note that consumers authorize the data release=20=

and that the services can save insurance companies millions of dollars=20=

and benefit consumers anxious for a decision.

"Some insurers can make a decision in the same day, or right on the=20
spot," Franzen said. "That's the real 'value-add.' "

But the practice also illustrates how electronic data gathered for one=20=

purpose can be used and marketed for another -- often without=20
consumers' knowledge, privacy advocates say. And they argue that=20
although consumers sign consent forms, they effectively have to=20
authorize the data release if they want insurance.

"As health care moves into the digital age, there are more and more=20
companies holding vast amounts of patients' health information," said=20
Joy Pritts, research professor at Georgetown University's Health Policy=20=

Institute. "Most people don't even know these organizations exist.=20
Unfortunately the federal health privacy rule does not cover many of=20
them. . . . The lack of transparency with how all of this works is=20
disturbing."

Ingenix and Milliman create the profiles by plumbing rich databases of=20=

prescription drug histories kept by pharmacy benefit managers (PBMs),=20
which help insurers process drug claims. Ingenix, for instance, has=20
servers in the PBM data centers, updating the drug files as frequently=20=

as once a day, said John Stenson, senior vice president of consulting=20
for Ingenix, which is a division of UnitedHealth Group. The corporation=20=

also owns UnitedHealthcare, the nation's second-largest insurer.

When an insurer makes an online query about an applicant, Ingenix or=20
Milliman's servers scour the data and within minutes or less return=20
reports to a central server at the company. The server aggregates the=20
information going back as far as five years, including the drugs and=20
dosages prescribed, dates filled and refilled, the therapeutic class=20
and the name and address of the prescribing doctor.

Then comes the analysis.

Ingenix's MedPoint tool provides insurers a "pharmacy risk score," or a=20=

number that represents an "expected risk" for a group of people, such=20
as 30- to 35-year-old women who have taken prescription drugs, Stenson=20=

said. Higher scores imply higher medical costs.

Milliman's IntelliScript codes drugs red, yellow or green, according to=20=

the insurer's instructions, with red signaling the greatest risk,=20
Franzen said. Red codes could include the so-called AIDS cocktail drugs=20=

and cancer medications, he said.

The companies receive data only on individuals who are in clients in=20
PBMs' databases, generally excluding, say, people who pay for drugs in=20=

cash. The profiles cost insurers about $15 a search. IntelliScript gets=20=

about 1 million queries from insurers a year, largely individual health=20=

insurers.

The system can save money for insurers, said Richard Dick, an=20
entrepreneur who built the database system that Ingenix acquired in=20
2002.

For instance, if MedPoint produces a report that an individual has been=20=

on the highest dose of the cholesterol-reducing drug Zocor for 18=20
monts, the insurer "would be able to know that you have a very high,=20
near-intractable cholesterol problem," Dick said, and could avoid a=20
costly blood test.

 =46rom a business standpoint, it makes no sense for an insurer to sell =
a=20
plan with a $200 monthly premium if the company knows that the consumer=20=

is taking medications that cost $400 every six months, industry experts=20=

said. That is why having access to an "objective" source of third-party=20=

information is valuable, said Tia Goss Sawhney, a Chicago area health=20
insurance actuary who has used both companies' tools. "Though most=20
people tell the truth most of the time, there are people out there who=20=

don't, who leave out something that's incredibly relevant, who may even=20=

be able to defraud a company," she said. "That's important because=20
ultimately the people who tell the truth have to pay for those who=20
don't."

Franzen, whose firm expects revenue of $575 million this year, said his=20=

clients tell him that about 10 percent of applicants do not disclose=20
pertinent medical conditions in their applications that are later=20
revealed by prescription drug history.

Some health experts worry that insurance companies can make faulty=20
assumptions by looking at prescription drug records, because many drugs=20=

have multiple uses. "I had a patient on Amitriptyline for migraines and=20=

they were denied life insurance because it's also an antidepressant,"=20
said physician Kate Atkinson of Amherst, Mass. "I had to explain it=20
wasn't being used for depression." Another patient was on Prozac -- not=20=

for depression, but for menopausal hot flashes. "I wrote an appeal=20
letter, and they still wouldn't give it to her," Atkinson said.

Services such as MedPoint are just "one of many tools" underwriters use=20=

to make coverage decisions, said Tyler Mason, a spokesman for=20
UnitedHealthcare, which uses MedPoint. A high-risk score on a profile=20
will often lead to requests for more information from the applicant, he=20=

said.

Ingenix and Milliman officials stress that they provide data only with=20=

the patient's consent, as required by the Health Insurance Portability=20=

and Accountability Act (HIPAA), a 1996 law that governs personal health=20=

records information. But HIPAA does not give the Department of Health=20
and Human Services the ability to directly investigate or hold=20
accountable entities, such as pharmacy benefit managers or companies=20
such as Ingenix and Milliman, who are not covered by HIPAA.

A health privacy proposal pending in Congress would expand federal=20
officials' ability to regulate such "downstream" organizations, audit=20
their activities and impose civil fines. The bill also includes a=20
prohibition on the sale of electronic medical records.

Tim Sparapani, senior legislative counsel at the American Civil=20
Liberties Union, said that the products that Ingenix and Milliman are=20
marketing represent the "commodification" of electronic medical records=20=

by third parties. "We've got to stop these practices before the=20
marketplace is fully developed and patients lose all control over their=20=

medical information," he said.

The field is growing rapidly. Realtime Solutions Group, a company in=20
Woodridge, Ill., is testing whether lab data can be aggregated with=20
prescription and other data for underwriting purposes. The firm is=20
working with two major commercial labs and three large insurers, using=20=

thousands of real applicants. Initial results are promising enough that=20=

the company plans to proceed to the data-analysis stage, company=20
co-founder Tedd Determan said.

"A lot of insurance companies are starting to use this type of data,"=20
said Determan, who co-founded IntelRx, a company that mined=20
prescription databases and was sold to Milliman in 2005. "They said,=20
'All right. Prescription data is working, let's go and look at other=20
types of data, too.' It's because of the success of one, that we're=20
going after others."

In February, the Federal Trade Commission issued an order saying that=20
MedPoint and IntelliScript are consumer reports under the Fair Credit=20
Reporting Act, so the companies must notify insurers that consumers=20
denied insurance on the basis of these reports have the right to=20
request a copy of the report and that errors be corrected. The FTC's=20
order followed a settlement of allegations that the companies violated=20=

the credit-reporting law by failing to provide such notice to insurers.

Bob Gellman, an independent privacy consultant in Washington, said the=20=

FTC's decision not to fine the companies sends "the message that it is=20=

okay to ignore the law." That, he said, "is absolutely outrageous."

As more health records become electronic, he said, more parties will=20
compete to sell more comprehensive patient data to insurers, driving=20
down data prices. "It will all likely be lawful," Gellman said, "but=20
consumers will likely continue to have no real meaningful choices if=20
they want insurance."

Dick, who conceived the idea of linking the pharmacy databases for=20
underwriting purposes a decade ago, said the pharmacy benefit managers=20=

understood the system's privacy implications. He said their attitude=20
seemed one of, " 'Ooh, this is a 60 Minutes' story in the making.'=20
Generally, they wanted to make it a super-secret database, restricted=20
to underwriting."

But now, he said, "there's a huge case for it being opened up for all=20
legitimate access," whether for a patient in an emergency room or for=20
federal government purposes. The key, he said, is full transparency.

He said he has created a privacy tool that requires users to consent=20
before specific data, such as prescription histories, can be released.=20=

To work, he said, the tool must be independent of all who hold the=20
data.

"Otherwise," he said, "you have the fox in charge of the henhouse."

Staff researcher Magda Jean-Louis contributed to this report.


=A9 2008 The Washington Post Company