[Med-privacy] prescriptions

[peter marshall]

August 9, 2009

And You Thought a Prescription Was Private

By MILT FREUDENHEIM
MORE than 10 years after she tried without success to have a baby, =20
Marcy Campbell Krinsk is still receiving painful reminders in her =20
mail. The ads and promotions started after she bought fertility drugs =20=

at a pharmacy in San Diego.

Marketers got hold of her name, and she found coupons and samples in =20
her mail that shadowed the growth of an imaginary child =97 at first, =20=

for Pampers and baby formula, then for discounts on family photos, and =20=

all the way through the years to gifts suitable for an elementary =20
school graduate.

=93I had three different in vitro procedures,=94 said Ms. Krinsk, now =
55, =20
a former telecommunications executive who lives with her husband in =20
San Diego. =93To just go to the mailbox and get that stuff, time after =20=

time after time, it was just awful.=94

Like many other people, Ms. Krinsk thought that her prescription =20
information was private. But in fact, prescriptions, and all the =20
information on them =97 including not only the name and dosage of the =20=

drug and the name and address of the doctor, but also the patient=92s =20=

address and Social Security number =97 are a commodity bought and sold =20=

in a murky marketplace, often without the patients=92 knowledge or =20
permission.

That may change if some little-noted protections from the Obama =20
administration are strictly enforced. The federal stimulus law enacted =20=

in February prohibits in most cases the sale of personal health =20
information, with a few exceptions for research and public health =20
measures like tracking flu epidemics. It also tightens rules for =20
telling patients when hackers or health care workers have stolen their =20=

Social Security numbers or medical information, as happened to Britney =20=

Spears, Maria Shriver and Farrah Fawcett before she died in June.

=93The new rules will plug some gaping holes in our federal health =20
privacy laws,=94 said Deven McGraw, a health privacy expert at the =20
nonprofit Center for Democracy and Technology in Washington. =93For the =20=

first time, pharmacy benefit managers that handle most prescriptions =20
and banks and contractors that process millions of medical claims will =20=

be held accountable for complying with federal privacy and security =20
rules.=94

The law won=92t shut down the medical data mining industry, but there =20=

will be more restrictions on using private information without =20
patients=92 consent and penalties for civil violations will be =20
increased. Government agencies are still writing new regulations =20
called for in the law.

Ms. Krinsk was never able to find out who sold her information, but =20
companies that have been accused in lawsuits of buying and selling =20
personal medical data include drugstore chains like Walgreens and data-=20=

mining companies like IMS Health and Verispan. CVS Caremark, which =20
handles prescriptions for corporate clients, has also been accused of =20=

violating patients=92 privacy.

These companies all say that names of patients are removed or =20
encrypted before data is sold, typically to drug manufacturers.

But as Ms. Krinsk=92s case shows, there are leaks in the system.

Before the changes, privacy regulations mainly applied to hospitals =20
and doctors. Enforcement was weak, and there were lots of loopholes.

Privacy experts cite research by Latanya Sweeney, director of the Data =20=

Privacy Lab at Carnegie Mellon University in Pittsburgh, which shows =20
that a computer-savvy snooper can easily match names, addresses, =20
Social Security numbers and so on to =93re-identify=94 information that =20=

had supposedly been rendered anonymous.

=93Our biggest concern is the complete lack of protection against re-=20
identifying data that was supposed to be anonymous and secure,=94 Ms. =20=

McGraw said.

TRACKING prescriptions has been a big business for decades. Data =20
miners say their research is valuable because gathering and analyzing =20=

information from thousands of people helps identify trends and =20
provides indications of potentially dangerous side effects of drugs.

=93Data stripped of patient identity is an important alternative in =20
health research and managing quality of care,=94 said Randy Frankel, an =20=

IMS vice president. As for the ability to put the names back on =20
anonymous data, he said IMS has =93multiple encryptions and various ways =
=20
of separating information to prevent a patient from being re-=20
identified.=94

=93De-identified health information is our core business,=94 he said.

IMS Health reported operating revenue of $1.05 billion in the first =20
half of 2009, down 10.6 percent from the period a year earlier. Mr. =20
Frankel said he did not expect growing awareness of privacy issues to =20=

affect the business.

CVS Caremark says it is careful about patient data. =93In very limited =20=

circumstances, we exchange aggregated, de-identified data with third =20
parties to assist the health care community in understanding patient =20
use of prescription medications with the goal of achieving better =20
health outcomes,=94 said Carolyn Castel, a company spokeswoman.

Selling data to drug manufacturers is still allowed, if patients=92 =20
names are removed. But the stimulus law tightens one of the biggest =20
loopholes in the old privacy rules. Pharmacy companies like Walgreens =20=

have been able to accept payments from drug makers to mail advice and =20=

reminders to customers to take their medications, without obtaining =20
permission. Under the new law, the subsidized marketing is still =20
permitted but it can no longer promote drugs other than those the =20
customer already buys.

The ban on marketing is even more strict in California, where =20
Walgreens is fighting off a class-action lawsuit filed on behalf of =20
customers who received the subsidized mailings before the state =20
outlawed them in 2004. Michael Polzin, a Walgreens spokesman, defended =20=

the mailings as a cost-cutting measure. =93Patients who fail to properly =
=20
take their medication cost the U.S. health care system $177 billion a =20=

year,=94 when they fall sick and need treatment, he said.

The data mining industry, meanwhile, is challenging laws in New =20
Hampshire, Maine and Vermont that ban collecting and selling =20
prescription information to drug makers, which use it to decide which =20=

doctors to market to.

The companies in the case, IMS Health and Verispan, now part of the =20
private company SDI Health, said the identities of patients were =20
removed. =93At no time does SDI ever receive any identifiable patient =20=

information nor any means to identify any patient from the data we =20
handle. All data is de-identified prior to transmission to SDI,=94 said =20=

Andrew Kress, chief executive of SDI.

Privacy advocates and a judge in the case argued that de-identified =20
information could easily spin out of control. =93This information =20
quickly finds its way into other databases, including those of =20
insurance carriers and pharmacy benefits managers,=94 Judge Bruce M. =20
Selya wrote in a federal appeals court decision upholding the New =20
Hampshire law.

IN another big change, the stimulus law provides $19 billion to push =20
doctors toward installing electronic records systems. It is a =20
milestone on the road toward President Obama=92s goal of digitizing all =20=

medical records within five years. But digitization creates the =20
potential for more abuses by hackers, as well as blackmail and =20
insurance fraud.

=93Privacy is under greater duress than ever before as medical records =20=

are switched from paper to electronic,=94 said Pam Dixon, a consumer =20
advocate and executive director of the World Privacy Forum near San =20
Diego.

Administration officials say privacy guarantees are essential. =93We =20
can=92t afford to go forward with our plans unless we have assured the =20=

American public that the privacy of their information is assured,=94 =20
said Dr. David Blumenthal, the Health and Human Services Department=92s =20=

national coordinator for health information technology.

Companies like Google, Microsoft and WebMD see a lucrative business =20
opportunity in assembling and holding personal health records. =20
Patients and their doctors would be able to consult the records =20
wherever and whenever needed. But the companies themselves recognize =20
that they have work to do to persuade consumers and physicians that =20
records will be safe and protected.

Although as many as one in four adult Americans are currently offered =20=

an online personal health record, by a health plan or physician=92s =20
office, most have not taken up the offer.

Google, Microsoft and WebMD all say they will not show advertising =20
alongside a person=92s health records. But visitors to WebMD, Google =20
Health and Microsoft=92s site, HealthVault, see ads for drugs for =20
diseases like osteoporosis or acid reflux as they seek information on =20=

an array of ailments.

Technology experts say identities of viewers and their health =20
interests are often captured at the moment they click on online ads =20
for a drug. That provides the advertiser with a prospective customer =20
to pursue online or by mail.

=93Personal health records linked to advertising, even indirectly, put =20=

them in the hands of marketers and profilers,=94 said Robert Gellman, an =
=20
independent privacy consultant in Washington.

Microsoft and WebMD acknowledge that the privacy rules in the stimulus =20=

law apply to them. Google says the law=92s prohibitions do not apply to =20=

it, except for its duty to report any breaches of medical privacy. =20
=93Google is bound by the privacy policy that people agree to when they =20=

sign up,=94 said Christine Chen, a Google spokeswoman.

The new law also requires the Federal Trade Commission and the =20
Department of Health and Human Services to clarify the rules for =20
privacy violations and gives all 50 states=92 attorneys general new =20
authority to enforce the federal rules.

Some recent high-profile incidents reveal the extent of the problem. =20
In Virginia, a state health agency notified 530,000 residents in June =20=

that their Social Security numbers were at risk after a hacker claimed =20=

to have invaded a state monitoring database in April and demanded $10 =20=

million ransom to return the stolen data. State officials said they =20
were still investigating the breach.

Ms. Fawcett was plagued by lurid tabloid reports fueled with =20
information from her cancer treatment records at the University of =20
California, Los Angeles Medical Center. And in May, Kaiser Permanente =20=

paid a $250,000 fine to California after it reported that 21 =20
unauthorized employees and two physicians had invaded the records of =20
Nadya Suleman, the woman who gave birth to eight infants in a Kaiser =20
hospital in January.

Since 2003, more than 45,000 complaints have been filed at the civil =20
rights office in the Department of Health and Human Services by people =20=

who said their medical privacy was violated. The office says it has =20
taken enforcement actions on more than 8,900 cases in that period, =20
covering millions of people.

A single case can involve thousands of patients. For example, CVS paid =20=

a $2.25 million settlement early this year after an Indianapolis =20
television station found paper records with CVS customers=92 personal =20=

drug information had been tossed into Dumpsters. In the settlement =20
agreement, CVS promised to protect patient information at all 6,300 =20
CVS stores.

A survey sponsored by the Federal Trade Commission suggested that tens =20=

of thousands of patients each year had their records broken into by =20
hackers and unauthorized employees of hospitals and other health =20
industry companies. Keith B. Anderson, an economist at the F.T.C., =20
estimated that the personal information of about 890,000 adults was =20
misused between 2001 and 2006. Stolen identities and data were used to =20=

trick Medicare, Medicaid and other insurers into paying for bogus =20
medical treatment and supplies, he said.

Deborah Peel, a psychiatrist in Austin, Tex., who lobbies for privacy =20=

rights, said she predicts =93a looming battle between the data thieves =20=

and those that believe in constructing a digital universe with even =20
stronger protections for the privacy of personal information than we =20
have in the world of medical records on paper.=94

SOME people think that the stimulus law doesn=92t go far enough to =20
protect patients=92 privacy. While it bans paying a pharmacist for =20
marketing to patients, it does not bar the sale of personal drug =20
information by one pharmacy to another, as happened to Randee =20
Lonergan, 35, a school administrator who now lives in Florida.

She says that when a pharmacy closed in a Stop & Shop supermarket on =20
Long Island, it sold her information to a nearby Target store. She was =20=

upset when her new pharmacist asked if she was still taking injections =20=

for a skin problem. =93They knew all about me and my family,=94 she =
said. =20
Adding to her chagrin, she saw a person she happened to know working =20
at the pharmacy. A Target spokeswoman says the company complied with =20
all privacy laws.

Ms. Krinsk in San Diego, whose privacy was repeatedly violated for =20
more than a decade, says she is willing to speak out if it draws =20
attention to the problem. =93I=92m a pretty tough person,=94 she said.


Copyright 2009 The New York Times Company=